UK figures show that the number of people working from home almost doubled between 1998 and 2004, rising from 16% to 28%of the workforce. Experts believe the figure will reach half of all British workers within the next three years. Add to this the rapid rise in sales of notebook computers, and the fact that one in six PCs is not protected, and the challenges for security managers in providing adequate protection to all staff are there to see.
John Redeyoff, information security director, NCC Group, says: "In the old days, the perimeter that you had to defend was the chain-link fence around your building. Then it became the network within your building and in some cases, the network that you shared with your suppliers and customers. Nowadays, with the advent of mobile working and all the opportunities that it presents, the perimeter no longer exists - it can be in your workers' homes, in a taxi, on a train or even at the local coffee store." With the growth in the home worker phenomenon over recent years, the IT industry has had to develop security tools in tandem. Data encrypting software, robust password policies and, more recently, biometrics, have all been employed to protect laptops and home PCs.
It is not just a matter of network security. The swift rise in the number of mobile workers has also meant the potential for corporate data to go missing has risen. Last year, for example, the Home Office lost 150 laptops. The previous year, 153 disappeared from the Ministry of Defence. Fortunately, government security policies will have meant that all the data on the machines would have been encrypted.
Can the same be said of the 4,973 laptops left in London taxis in the past six months, or the four a week lost at Heathrow airport? Mobile security should not end with protecting the link between machine and the office network. What data is contained on a machine matters as much.
However, protecting notebooks, whether in the home or on the road, pales in comparison to the challenges thrown up by both the emergence of wireless networks and so-called smart devices, such as Personal Digital Assistants (PDAs) and third generation (3G) mobile phones. These have brought internet-ready communications to hand-held devices and mean that more and more employees can operate outside the confines of the office, carrying important business and personal data and transmitting corporate information.
It is hardly surprising that the mobile working and wireless phenomena have attracted the attention of hackers and virus writers. They see the prospect of remote or wireless workers as huge attack vectors for either fraud or mischief.
Research also suggests that management thinking on mobile security has not kept pace with events. A recent survey by the Business Software Alliance, an industry pressure group, found that around half of UK IT managers were concerned about the effect of the rise in mobile working on their security, but that two-thirds had no plans to tackle the issue. Another recent survey by industry research house Quocirca, reported that, while security managers were confident about the security of their laptops, 40% of respondents did not believe that PDAs and smartphones should be treated with the same degree of seriousness.
NCC's Redeyoff said: "We are increasingly being asked more and more about this and, in response to our clients' concerns, have recently gone as far as developing a methodology specifically aimed at carrying out penetration testing of Blackberrys and their supporting environment. We are currently working on methodologies to test the security of a myriad of devices, such as PDAs and smartphones".
The situation is serious. According to a survey by Yankee Group, 60% of businesses have deployed, or are involved in installing, a wireless LAN. Last year, Cabir, the first airborne virus, affected wireless networks in the Far East and then Europe while, earlier this year, the CommWarrior virus was first detected in smartphones using the Symbian operating system - the most popular smartphone software programme. Bluetooth, the wireless messaging system, has also been targeted by virus writers. "The days of mobile innocence" declared industry research giant Forrester earlier this year, "are over".
Security on the move
The problem with wireless security is that the technology was developed to drive demand, with security issues rather an afterthought. One of the problems of keeping a WLAN network private has been that the original encryption standard, Wired Equivalent Privacy, has been too often compromised. However, a new standard, 802.11i, was developed last year, with a second set of specifications, WPA2, developed subsequently. Most Wi-Fi equipment being shipped today is WPA2 compliant. These new standards offer robust encryption tools that security experts believe make wireless networks as secure if not more secure than existing wired versions.
Authentication is also an area where advances in standards and tools offer better security solutions. The Extensible Authentication Protocol (EAP) is the often-used method of approving the connection between a network and a mobile device. EAP can use passwords, smart cards or digital certificates to authenticate users and access points. However, virtual private networks face the disadvantage of having to re-authenticate at each new access point. This should be addressed by the new standard, 802.1x.
The third key to secure your WLAN authorisation is the easiest to implement because it depends on policy rather than technology. The challenge lies in authenticating every device that connects to the network for authorisation, configuration and as being bug-free. Most network managers prefer to use an agent, a piece of software that sits at the client end and communicates with the client server, giving the information for authentication and then authorisation.
Security experts also caution over the deployment of access points to an enterprise's network. Limiting radio coverage of access points to the areas that are supposed to be covered is one aspect to be considered. This, though, will not provide protection against so-called 'war driving' where malicious operators with low-cost equipment, such as simple wire antennas, can connect with an access point well beyond its nominal range.
Wireless intrusion detection systems can help combat these threats by monitoring traffic on the network and radio activity. However, with multiple access points spread across a wide area, this could be a costly exercise. "It is not just about the technology," said Redeyoff. "Users need to be aware that with the convenience of mobile working comes a responsibility - the responsibility of not leaving your laptop in a taxi, for example."
Mobile computing is a fact of modern business life. It is up to senior management to embrace this fact and for security managers to act upon it in order to assure network security.
Christopher Price is a senior consultant at College Hill Associates and a former IT correspondent of the Financial Times and chief technology commentator for The Business.
