Mobile devices, particularly laptops, have made life easier for the millions of Americans who telecommute or travel frequently. The technology delivers easy access to information and services from almost anywhere, but does that access come with a steep price tag?
A laptop is stolen every 53 seconds, and 97 percent of them are never recovered -- a shocking statistic from the most recent FBI study in 2003 to examine laptop theft.
Recent events underscore what's at stake when mobile devices containing vital information are lost or stolen. These incidents can cost organizations millions of dollars to purchase credit monitoring services for affected customers. They also generate a mountain of bad publicity, which can raise doubts about an organization's credibility.
With the rash of missing laptops in the government arena -- including the Department of Veterans Affairs, the IRS, the U.S. Department of Transportation and Minnesota's State Auditor --agencies are strengthening policies and procedures to protect mobile devices.
Federal legislation -- including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act -- has already been implemented in the health-care and financial industries to protect constituents' personal information and regulate how it's accessed and disclosed.
More recently California followed suit by passing SB 1386, which mandates that public and private organizations notify customers if their personal information has been illegally accessed.
Kevin Dickey, chief information security officer (CISO) of Contra Costa County, Calif., described some of the laws as knee-jerk decisions, including California's SB 1386, which covers private industry and state agencies, but exempts local governments. Localities were omitted from the California law because the state didn't want to be financially responsible for funding local governments to comply with the regulations, Dickey said.
The problem government agencies face with ensuring security measures doesn't lie solely with lengthy legislative processes and funding issues, but is further heightened by rapid technological evolution.
"Technology has generated faster than the security has kept up with it," Dickey said, adding that security is always chasing technology. In addition, he said technology manufacturers usually think about marketability and user-friendliness as opposed to security.
Because accessibility is heavily promoted in our society, it has become second nature for many individuals to use mobile devices -- and they don't want barriers. "Most people look at security controls, authentication and access controls to be an inconvenience," Dickey said.
Another security issue surrounding technology is that government workers tend to have a lackadaisical mindset regarding government assets. "You wouldn't leave your keys to your car in your car," Dickey said, "but a lot of people just leave their computers turned on and walk away from their desks."
Changing this mindset and other issues calls for establishing policies and procedures on acceptable use of government assets.
Contra Costa County established such policies and procedures, according to Dickey. In addition, the county standardized on anti-malware software, which protects against worms and Trojans that may contain malicious codes.
Although his county is taking these steps, Dickey said, there aren't consistent security standards across government. "For instance, one county might be looking at it completely with a different set of eyes," he said. "But from a best practices standpoint, they should all be looking at it through at least the same kind of vision."
The problem isn't only at the local government level. States face the same dilemma when securing mobile assets.
"There's certainly stuff being done, but right now every agency is basically taking care of stuff at its own discretion," said Chris Buse, CISO of Minnesota. "We can't really give you an answer that says this is happening consistently across all state government."
However, shouldn't government entities more aggressively ensure