Mark Chimley, an Information Assurance Architect and Cyber Security Consultant asks "What are reasonable mobile computing security procedures?"
Working on the Move
I am writing this on a train using mobile computing devices (a netbook and a phone) and I'm fairly happy with the security measures I've put in place and the procedures I'm using to enable mobile computing but, are these appropriate controls for the majority of people? There is always a risk involved in carrying out business practices outside of an office environment but it's pretty obvious that the advantages of the mobile office in its various forms are such that few of us can constrain our work to just occurring within a traditional office.
As a consultant providing information security advice to small businesses it's important to be able to provide pragmatic guidance. So, whilst I'm content with the practices that I employ, I'm conscious that these may seem too onerous for some people and perhaps too lax for others. I'll describe what I do, pose a few questions and hopefully stimulate some interesting and useful responses.
The first thing I consider for my mobile office activities is what type of data I am prepared to work upon outside of a corporate environment. We all have different types of information that we work on with different levels of impact to our businesses should that data be lost or compromised. I therefore tend to restrict my mobile work to those data items that would have minimal impact. If working on something that is of moderate sensitivity I try to ensure that it is isolated from its wider context and perhaps given additional security controls.
I find the environment of a train a very useful one in which to remove myself from the distractions and interruptions that are present in a normal office. This means it's a great place for me to think, design and write. These activities are best achieved (for me) using a notebook and pencil before transcribing to a computer so the first piece of media I carry is my (paper) notebook. Clearly this isn't a secure medium hence I tend to keep the content within it fairly benign so that its loss or disclosure would not have a great affect. For instance, the content I'm writing now is destined to be published hence I don't need to keep it confidential.
When mobile, I also use my laptop for emails and writing reports. The laptop has encrypted storage and I encrypt my emails where the content is of a sensitive nature. The laptop also runs internet security software and uses two-factor authentication to access the office network via a VPN. I also tend to ensure any data on the laptop is not permanently stored there so it's less vulnerable to being lost. This ensures data resilience because the data is ultimately backed up elsewhere and limits the potential for it being compromised.
On the phone I don't store any sensitive data. I just have a few email contact lists on there. I treat the phone as a communications device rather than somewhere to carry out data computing functions. I have a few Apps installed on the phone but only those that I need and I ensure they are from reputable organisations. The phone is configured to encrypt all my data and requires a password to unlock it which gives greater protection than a PIN. It auto-locks after ten minutes of inactivity.
I keep both the phone and laptop wireless cards disabled and I disable both Bluetooth and location services. The only exception to this is if I need to use the phone's mapping tools. In that case I turn on the GPS capability just for the time I need it. In general I try not to use any Wi-Fi outside of my trusted office (or home) networks. To gain data access on the move I use the data capabilities of the phone's 3G or 4G network with the laptop tethered to it via a cable.
In summary, then, I utilise encrypted storage on my devices, I avoid all untrusted Wi-Fi, limit my use of location-based services, use reasonable access control measures and limit the type of content I work on when mobile. Undoubtedly there are more security measures that I could employ but I'm fairly sure that the practices I've described would already be seen as too onerous by many people.
I'd welcome comments and feedback from you:
If you don't follow any such procedures and just use all phones, tablets and laptops on the move with settings out of the box and on any available network, I'd welcome your responses too. Mobile computing devices do have some pre-installed security features and if you're happy to rely on these, do let me know.
Finally, if you want to know more about the risks and issues of mobile working, please get in touch or have a look at these resources:
Information Assurance Architect and Cyber Security Consultant
e-mail us on firstname.lastname@example.org
call us on 0845 643 5375
or contact Janice on Linkedin via the link below