Home     Contacts     Editorial     Advertising     Subscribe     Archives     Search     CMA Canada  
Current Print Edition
August/September 2008
Columns Table of Contents   Printer Friendly

Managing information on disparate devices

The technology-enabled portability of our working environment has led to the dispersion of corporate data on laptops, USB keys, PDAs, and home computers. This complicates the problem of managing sensitive information, but the fundamental principles haven’t changed, according to experts

by Jacob Stoller

It’s six o’clock. You’re in the office finishing up a financial report for tomorrow’s board meeting. You glance at your calendar and suddenly realize that this is the night of your daughter’s school concert. You’ll have to finish up the report later tonight. You save your work to your laptop. As you’re about to shut your system down, you remember that you need some information from another report. You’re not sure which report, and you don’t have time to figure that out. So you download the whole report folder to your laptop, shut down, and head for the freeway.

This scenario is still fairly common, but its days may be numbered. A recent lawsuit involving Air Canada and WestJet is just one of the many recent reminders we’ve seen that allegations of stolen information can make big headlines. The legal landscape has changed as well. Recent legislation like Sarbanes Oxley and PIPEDA has made senior management accountable for the protection of information, and has therefore moved the issue to the top of corporate agendas.

What’s making things tough is that data-carrying devices are everywhere. Personal digital assistants (PDAs) recently overtook laptops in sales, and they are getting more powerful, making it easier for users to use them as an extension of their office. USB keys, the tiny flash memory devices that can carry files to remote computers, are also becoming very common. Even the lowly cell phone will soon become a significant repository of data. As a result, corporate information is getting dispersed on more and more devices, and the task of managing it is growing proportionately.

Technology is doing its bit to keep pace, and protection of dispersed devices is improving. According to John Weigelt, head of security for Microsoft Canada, your PDA will soon have the security features of a desktop device. “We’re seeing a lot of the same security mechanisms that we would have on the desktop move into the mobile devices,” he notes. “Anti-virus solutions, VPNs (virtual private networks), even firewalls and intrusion detection devices for mobile devices. So I think more and more, that mobile devices will begin to appear like that desktop environment that we are familiar with.”

Weigelt warns, however, that framing the issue solely in terms of technology is misleading. “We need to be careful about looking at the electronic world overly differently than the paper world,” he stresses. The information in a financial report, for example, is as sensitive in a paper file folder as it is on a hard drive. What has changed is that the proliferation of data is so easy. With the click of a mouse, you can export enough information to fill a few filing cabinets.

According to Constantine Karboliotis, head of the security and privacy practice for CGI in the Greater Toronto Area, the increased collection and flow of information is inevitable. What organizations need to do is find ways to manage it properly.

“You couldn’t deliver a service and you couldn’t do business if you didn’t collect information,” says Karboliotis. “The question is, are you thinking this through? Have you addressed the issues? Have you understood them? Have you run through scenarios of what might happen if information is exposed? Do you have mechanisms actually in place? Technology is an important tool, but understanding the business and understanding the business risks have to precede all of it.”

There are many practical aspects to this, but user education, awareness, and common sense are central themes. Some common recommendations are:

  • Insist that, when gaining access to sensitive documents, users work with server copies wherever possible (this has gotten much easier with Web-based technology). When downloading is necessary, users should take only the information that they require. For example, sometimes it’s possible to use a subset of a report, perhaps an executive summary, instead of the whole report. Role-based access policies can help codify this kind of approach on a consistent basis. And once that is in place, document management systems and other tools can be configured to support these policies.
  • Take reasonable precautions against theft of mobile devices. The data on the laptop in the back seat may be worth many times more to a thief than the laptop. Corporate policy should dictate that the laptop goes in the trunk. All mobile electronic devices can be equipped with power-on passwords in case they are lost or stolen. The procedures are often simple, yet effective.
  • Beware of that home PC! According to a study conducted in 2004 by NCSA (National Cyber Security Alliance) in the US, 67% of all home PCs have no firewall protection whatsoever. Symptomatic of this, 20% of all home computers are infected with a worm and virus, and a whopping 80% have spyware or adware components installed. Yet over 70% of home users believe they are adequately protected against viruses and intrusion.

When it comes to using technology to protect information, the most powerful weapon is arguably the encoding or encrypting of data, which makes it unreadable to unauthorized viewers. Encryption is commonly used in VPNs and other secure transmission methods. But it is also used in storage. An encrypted file can be protected to the degree that it can only be accessed with the password that was used to save it.

The downside of encryption is that it is resource intensive. This means that it consumes bandwidth and disk space, slows performance, and drains PDA batteries. Karboliotis warns, therefore, that encryption has to be deployed judiciously to ensure a reasonable level of compliance. “You have to address the administrative and human aspects of this (encryption) if you want to make people actually do it,” she says. “If you create encrypted portions of individual hard disks, and if they don’t have easy ways to get information in and out of it, they’re not going to use it. They’re going to put information in the unencrypted portion. And then you’ve missed the point entirely.”

The threat of losing data also exists. Says Karboliotis, “Some of those encryption technologies are so strong that for all intents and purposes, that data’s gone if you lost access to it.” This can be a big headache for administrators. “It’s got to be able to be done centrally. If you’ve got USB keys, or PDA devices, there has to be a way of managing all of those passwords, and access to them, so that there’s always an ability to get back in.”

Encryption technology will improve and get easier to use, but like all other technology, it will never be a silver bullet. Inevitably, organizations will have to get good at managing dispersed information, and this has more to do with managing people than it does with managing devices. In the long run, management will have to trust their employees, and employees will have to have the well-being of the company in mind as they go about their business.

Jacob Stoller is principal of StollerStrategies, a Toronto-based consultancy focused on technology issues.

Top