I've done my time in the emergency response war room of a large technology company. Our mission was to respond quickly to emerging digital security threats. We raced against the clock to help customers avoid or recover from the latest high-impact worm or virus rampaging across the Internet. That experience convinced me that the time to check the latch on the proverbial barn door is when the horse is still safely inside munching hay.
So far, Microsoft Windows Mobile powered devices have not been the target of choice for virus writers. We use Smartphones and Pocket PCs to browse the Internet and to download and run applications. Malicious code (viruses or worms) can enter our mobile devices in any of these ways. Viruses can make a phone unusable; cause false billing or unwanted disclosure of stored information; and delete, corrupt, modify, or steal your data. What worries your IT department is the risk of transmitting a virus to your computer or network when you sync.
I'd like to share with you how my company has set up our defenses on our company-owned Windows Mobile powered devices.
|
|
|
|
|
|
But first, a word from your IT department
Before I start giving out security advice, the usual caveat applies. If you are on a managed network, make sure you adhere to the policies and procedures set out by your organization. If they prescribe a specific way they want you to transfer data between your mobile device and your PC or to password-protect your device—just do it.
Your company's network or messaging/security experts are your best source for setting up and using a Virtual Private Network (VPN) connection—a secured virtual tunnel—with your device. Check with them before you follow my suggestions in this article. Otherwise, we could cause unnecessary headaches for the very people who are trying to protect you and your network.
My company started with a risk analysis, took advantage of select features built into Windows Mobile 2003 powered devices, and then investigated third-party products to use for specific protection. |
|
|
|
|
|
Assess your risk
Start with assessing the types of data you need to protect on your mobile device. For many of you, your mobile devices contain confidential customer data ranging from contact information to ordering history. We do research and development, so the biggest risk we face is loss or exposure of confidential information. Government regulations may require even stricter security policies. If your company is in the healthcare or financial industry, you probably already know about the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and Graham-Leach-Bliley for protecting client information and business data. And anyone who does business in the European Union must meet the specific requirements of the EU Data Protection Act of 1998.
|
|
|
|
|
|
|
|
|
|
|
|
Use built-in security features
|
It's like that horse in the barn: if you don't want to risk losing it, lock it up. Take a few minutes and adjust your settings.
|
|
|
|
|
|
- Use a password.
You can create a
password to lock
your SIM (subscriber
identity module)
card and/or your
device. Locking does
not prevent you from
making emergency
calls.
- On Pocket PC: Tap Start > Settings > Personal tab.
- On Smartphone: Tap Start > Settings > Security.
Locking your SIM card prevents anyone from using your phone without entering the password you choose.
To lock my device I use a strong password—why make it easy for someone who "found" my device to get inside? I also set the timeout for 5 minutes of inactivity, then my device locks up. Yes, it takes me a second or two longer to reactivate my device, but I feel my data is worth it. Here's a great introduction to creating strong passwords.
Take care of your password. If you forget it and need to break in by performing a hard reset, you will lose all the programs and data you've installed—though you can restore a lot of the data by synchronizing with your PC.
|
|
|
|
|
|
- Turn OFF unneeded services.
Don't
let your device talk
to strangers. Keep
Bluetooth, Infrared
beaming, and Wi-Fi
turned off until you
need them. Accept
incoming data only
from sources you
trust. Mark Miller,
one of my former
emergency-response
teammates, used this
analogy to explain
what sort of trust
we're talking about:
"If your sister made
you a sandwich,
you'd accept it; but
you wouldn't accept
one from some guy
walking down the
street."
- Consider digital certificates.
Sometimes your work
requires a high
level of
authentication,
proving that you (or
a sender) are who
you say you are or
that a file has not
been tampered with
in transit. Ask your
company's network
administrator or
security experts
about using Digital
Certificates.
Windows Mobile 2003
powered devices
support personal and
root certificates. A
root certificate is
a small file that
contains public key
decryption data. A
personal digital
certificate is like
an online passport
or driver's license
that associates an
individual to a root
certificate.
- On Pocket PC:
Tap Start >
Settings > System
tab > Certificates.
- On Smartphone:
Tap Start >
Settings >
Certificates.
Add extra protection where you need it.
|
At Ambient Insight, we began our research into third-party protection—mobile encryption, antivirus, firewall, and other add-ons—at these two Microsoft Web sites:
|
For any mobile security software we buy, I insist that it has an automatic update feature. If your protection software is not up to date, it's not worth the space. I also download the trial version before I buy. If the interface isn't easy, you know you won't use it.
|
|
|
|
|
|
-
Encrypt what you want to protect. My dentist used to say, "Only floss the teeth you want to keep." Depending on the third-party software you choose, you can encrypt e-mail, folders, files, and external storage cards.
-
Keep antivirus up-to-date. If you buy an antivirus service, make sure it comes with real-time protection. I look for automated distribution of software and over-the-air updates directly to my mobile device.
-
Consider biometrics. HIPAA requires using two methods to protect patient data in storage or transit, and biometric aids – such as retinal scans or fingerprint recognition—must be one of them. New products are coming on the market to meet this demand.
|
|
|
|
|
|
|
|
|
|
|
|
Stay informed.
|
Security never sleeps. I'm willing to bet that your organization regards the mobile device you're carrying the same way your state views the drivers license in your wallet: it represents a privilege, not a right to drive, and it comes with responsibilities. Besides practicing "safe Internetting," you need to become mobile-aware.
|
|
|
|
|
|
Another thing: let's not forget the old-fashioned risk of physically losing your device—or having it stolen. According to a PDA usage study by Pointsec Mobile Technologies, the most common place to lose a PDA is in a taxi; the second most common place is in a bar. So, common sense says: Keep your mobile device in your hand, pocket, bag, belt-carrier, or purse when you're not using it, and keep your possessions close and secure. Look around when you get up to leave a place.
My last suggestion is not about your digital security, but about your personal safety. You may have read about ICE (In Case of Emergency), a good idea from the East Anglian (UK) Ambulance Service. In addition to putting emergency contact information in your wallet, add it to your phone under ICE1, ICE2, and so on, to help first responders know who to call. |
|
|
|
|
|
|
 |
|
|
For more information on this article or on e-learning research and technology, please contact:
Tyson Greer
Chief Executive Officer
Ambient Insight, LLC.
 Tyson@AmbientInsight.com
Visit our Web site at: http://www.ambientinsight.com
This article was originally published on the Microsoft Windows Mobile Web site. Click here to link to the original publication.
|