Managing the Mobile Workforce

By Lauren Barack

There's no question that mobile phones, Blackberries, Bluetooth-enabled PDAs and laptops, among other devices, have changed the idea of where work can be conducted. Now, business meetings can be held in different buildings on a corporate campus or while traveling. Use of mobile devices in the workplace continues to grow, and along with it, access to corporate information from wireless handhelds. By 2005, according to technology research firm Gartner, Inc., 60 percent of employees at 2,000 global companies will access corporate data from mobile devices.

When wireless devices aren't protected by a firewall, experts say data transfer to these machines is often not as secure as it is from within a networked perimeter on a corporate site. Gartner believes that handhelds using wireless networks will continue to be the biggest security problem facing businesses through 2008.

Wireless devices require additional layers of defense to thwart hackers. Once inside a network's IT infrastructure, hackers can be more difficult to detect than if they were hacking off of a tethered device such as a corporate PC because mobile devices flicker on and off a network's radar, depending on whether they are connected to the network.

Already, wireless handhelds have been the target of an attack. In August, Pocket PCs became vulnerable to a virus tagged Backdoor.Bardor.A and WinCE.Brador hat allowed an attacker to gain full control of the device. The program could allow a hacker to use the device to send out other hacks, or to send out spams. Fortunately, no companies reported any problems from the attack.

In July, a proof-of-concept worm called EPOC.Cabir piggybacked on wireless software Bluetooth to detect and locate other Bluetooth-enabled devices in its range. Its harm was limited to running out the battery life of the device it had infected while it continued to scan for other devices. But in Spain, hackers caused a denial-of-service attack that flooded the network of a wireless carrier with Internet e-mail, through a worm that brought down the company's text-messaging service in 2001.

Attacks like this are sure to occur -- and do harm -- as wireless devices become a more common workplace tool. The following strategies will help CIOs better navigate the mobile landscape, control access to the network, and maintain high levels of security:

• Scan. Regularly check for unprotected access points, which is one easy way for hackers to enter a network. And disable the broadcasting of identifiers to clients that aren't configured with an enterprise SSID (Service Set Identifier.) In doing so, unauthorized users will be prevented from noting the name of the wireless network should they happen to locate it.
  
  
• Audit. CIOs first need to conduct a thorough appraisal of possible wireless threats to its network, in part by determining how many mobile and wireless devices are used by employees to regularly access the corporate network. Ongoing security monitoring of wireless devices is key to enterprise IT defense, according to a report issued in November 2004 by a leading provider of information technology research, META Group.
  
  
• Train. All employees need to be trained and educated so they understand how data is being transmitted through these devices. Data security is further strengthened by understanding on the part of end users. Communicate how secure -- or insecure -- the main network is when accessed by a mobile tool. Limitations may need to be placed on the types of devices permitted to access the company's system.
  
  
• Protect. At a minimum, user authentication software should be installed on any mobile device allowed to connect with the company network. For further protection, security measures may include locking out users who attempt to sign on with the wrong password, or installing VPN -- or virtual private networks that creates an encrypted tunnel for the data to be transmitted across a network.
  
  
• Control. IT departments may maintain better control over security by requiring enterprise-wide employees to only use mobile devices purchased by the company. That way, IT departments can install necessary security software, personal firewalls and anti-virus tools, before the devices are distributed.
  
  
• Usable. Not least, companies should also consider user satisfaction when creating mobile security networks. Typing in long passwords on tiny keyboards may not only be a nuisance for the end users -- it often results in errors, which may result in more work for the IT staff. Consider assigning shorter passwords instead.

The number of mobile devices used by employees is only growing in the workplace, making it essential for CIOs to begin incorporating them into IT security strategies -- now.

Lauren Barack's work has been published in Business 2.0 and Wired.