Executive Thought Leadership

Securing the Mobile Workforce

The Internet and wireless networks have made information accessible to mobile workers from nearly anywhere.

Because mobility offers significant productivity gains, it is essential that enterprises embrace it. They also must successfully manage it. A recent study on mobility and business practices conducted by the Economist Intelligence Unit (EIU) in cooperation with Cisco Systems showed that during the next two years, 39% of 1500 executives surveyed intend to increase the number of hours they work from home. Another 42% expect to increase their work hours while on business travel.

With worker mobility rising, enterprises must be prepared. Wireless networks and mobile devices can create new avenues for unwanted parties and malware to find their way onto corporate networks. To optimize the value of the mobile workforce, mitigating associated risks is important.

Identify Your Vulnerabilities

The EIU study revealed that e-mail remains the top-rated mobile application, with 84% of respondents saying they use it during business travel. E-mail is also the application targeted most frequently by viruses and other malicious code, which can propagate quickly and cause network downtime.

According to the 2004 Computer Security Institute (CSI)/FBI Computer Crime and Security Survey, for the first time, viruses and denial-of-service (DoS) attacks have outpaced the theft of proprietary information in terms of their cost to organizations. The cost of viruses to U.S. enterprises jumped to US$55 million in 2003, the study estimates. Second most costly were DoS attacks ($26 million), followed by data theft $11.5 million).

Establish Policies and Best Practices

To minimize risk, it important to accept that employees will use new mobile tools, whether or not they have been formally sanctioned by the organization. Reluctance by management to adapt to new technologies will only drive users to circumvent corporate policies, which increases exposure. It is very difficult to manage and secure the unknown.

What can be done from a corporate perspective is to manage device configuration and mandate certain security processes. For example, it is becoming imperative to have an endpoint security policy for network admission control. This involves registering mobile products and refreshing them with the latest software versions and security updates, such as antivirus definitions, each time a user connects to the corporate network.

When deploying wireless LANs, following security best practices will go far in keeping intrusions off the network. Wireless networks posed early security challenges, because signals permeate walls, ceilings, and floors, rather than terminating at either end of a finite cable.

Implementing a robust two-way, mutual authentication algorithm within the 802.1X framework will authenticate not only the user identity but also verify the legitimacy of the radio access point that connects the user to the wired corporate network. Mutual authentication disallows a connection to an unauthorized access point potential launching pad for network entry.

In addition, it's a good practice to continually monitor the air for unauthorized access points-"rogues" that don't meet corporate policy and may have been plugged in for convenience by an employee, for example. Special radio-frequency sensors and intrusion-protection software can be configured to automatically discover and disable rogues.

Gartner, a Stamford, Connecticut-based consulting firm, estimates that through 2006, 70% of successful wireless LAN attacks will occur due to the misconfiguration of access points and client software. It is important to conduct regular network audits to find misconfigurations that might provide an opening for attackersuch as an access point that doesn conform to policy for the proper authentication algorithm.

Finally, similar to the Internet WAN edge, the wireless LAN represents another network perimeter. Putting a firewall or gateway where wireless and wired networks meet to control user access permissions to corporate network resources is a well-established guideline.

Accept the Inevitable

The days when corporate IT departments managed only stationary desktops attached to fixed Ethernet switch ports are over. Enterprises are moving to a mobile model of ubiquitous connectivity. Anticipating the ramifications is critical to successfully empowering your workforce while maintaining a secure network.

Mobility tools will become increasingly available. Accepting the inevitable and building a mobile framework will make it manageable. With a few good processes in place, employees will be mobile and productive, while corporate data and networks will remain secure.