InformationWeek

Fast-forward to the year 2000 and we find busy, globe-trotting professionals working all sorts of hours from anywhere their business takes them. And the types of activities they're conducting from their notebooks and handhelds are the same as those they perform from their office--communications, E-mail, voice mail, uploading and downloading of files, Web browsing, and even streaming media.

While companies have been busy--if not always terribly effective--instituting E-security measures to block external threats to their Web sites, mobile systems that access corporate systems are largely unprotected. This has dangerous implications as more employees take to the road with their handy notebooks and personal digital assistants.

An American Management Association telecommuting study of more than 1,200 workers conducted last year indicated that only 23% of the respondents worked exclusively from regular office locations. Many respondents reported accessing company systems before and after work, while on trips, and in other business-related activities during off time.

That study also found that 24% of employers loaned employees the equipment to work from home while 27% purchased the necessary equipment, 3% required the home-based employee to pay for the equipment they needed to telecommute, and 7% shared expenses with the employee.

Professionals, managers, and executives require far more mobility and connectivity to keep up with an expanded range of duties and competitive business pressures. The proliferation of Internet technologies has helped fuel this newfound productivity and mobility. But it's a double-edged sword, opening up the possibility of more security threats over dial-up and new wireless access services.

The term telecommuting, defined as a description of modern business behavior, is less than accurate. There are actually two components to mobile computing--the telecommuter and the telecomputer--with different security concerns for each.

The most important aspect of mobility should be the individual--whether employee, customer, or supplier--who requires access to organizational systems. "Should be" is the operative term. In practice, IT departments tend to focus more attention on the mobile devices and the systems they access.

Personal devices such as handheld computers, often absent from IT supervision, reflect the idiosyncrasies of their owners. Antiviral software may or may not be installed. If it is, it's questionable whether the software is active and has been updated within the last quarter. Difficulties associated with newly installed applications often result in the user disabling the security procedures that have been put in place.

IT departments are severely challenged by the demands of mobile access. The types of access can range from sending or downloading E-mail to application access. Those accessing company databases can be performing a variety of activities, from customer verification and account updating to information review, prod-uct delivery, and code updates.

Worrying about the mobile worker tends to take a backseat to worrying about the systems that are being accessed. But mobile workers also can pose potential security threats, such as those stealthy employees intent on unauthorized intrusion.

Security threats to companies and individuals posed by mobile workers exist on several levels. The IT department must consider the potential impact on users and ad-ministrators, as well as systems.

Here are some examples of the growing list of potential security problems corporate IT departments must anticipate and enact policies to deal with:

• Individual or mobile worker threats can take the form of data intrusion, system damage, or data destruction. Workers can gain unauthorized access to trade secrets, classified information, or company data on local machines. They can also damage stored information and destroy hard-disk contents.
• Unauthorized access can lead to loss of productivity. Missing, damaged, or altered data can result in substantial productivity loss and affect the IT resources required to recover those resources. Not only is the mobile worker out of action, but additional IS staff is required to resurrect the damaged systems.
• Application intrusion and proxy execution pose another sort of security threat. The unauthorized remote execution of applications--under the guise of authorized activity--can result in intrusion from what appears to be trusted parties.

While you might think the IT staff can handle online security as an additional duty, the complexities and alternatives encompassed by E-security mandate round-the-clock attention by trained, intelligent, and experienced security professionals.

The information era is not a cliché. Businesses would immediately fail without their customer and product databases, customized software, information architectures, and hardware configurations.

Here's the scary part: As emphasized in the 1999 annual study conducted by the Federal Bureau of Investigation and Computer Security Institute, unauthorized internal intrusions continue to be a major challenge to businesses, with hostile external intrusions spiraling upward as well.

As I'm sure you remember, LoveLetter.A and NewLove worms are associated with students. But demographic research indicates that the motivations of cybercrackers are changing in ways that rival the expertise in your IT departments and the new law enforcement cyberinvestigation units.

Technical training and information is plentiful and inexpensive, thanks to the Internet and extreme shortages of skilled talent. And high-tech crime offers higher potential payoffs and lower prosecution rates than most other forms of illegal activity.

Consider this: Israel's first hacker convention was held in March and brought together more than 350 people to hear cybercracker heroes, including Kevin Mitnick, recently released on parole, and John Draper (aka "Captain Crunch"), who helped launch the hacker phenomenon. What sort of things did they do at the conference? Attendees played "hack the sites," finding more than one in four Web sites vulnerable to unauthorized entry.

continued...page 2