Once a service engineer, armed only with their wits and a handful of tools, could put the entire world to rights. But that’s a distant memory. Nowadays they are frequently armed with a portable computer to provide an array of diagnostic and analytical tasks and carry a mass of important data.

And this introduces some new factors for a business to consider.  A portable computer is not a tool in the same sense as a spanner or a multi-meter.  It can contain a wealth of data and whether that is personal data about customers or sensitive proprietary company information, the loss or theft of that device exposes the company to risk: the risk of contravening legislation such as the Data Protection Act (DPA), the risk of damage to a company’s brand should customer data be discovered to have been compromised or the risk to the very viability of the business should proprietary information become available to competitors.

While it is now undeniable that data loss does pose a risk to the modern business, Ian Kilpatrick, founder and chairman of value added distributor and security specialist Wick Hill, reports that not all businesses are moving to address the issue.  ‘Awareness of data security issues varies greatly by organisation,’ he says. ‘Organisations such as those involved in financial services are very well of their obligations and the issues involved however what is astonishing is the difference between awareness and actions,’ he notes.  ‘A recent survey revealed that between 70 and 80 per cent of companies viewed security as a ‘high’ on the corporate agenda and yet so many companies do not pursue the issue and take action and the key reason for not doing so is a failure to undertake a comprehensive risk assessment of all aspects of the business,’ Kilpatrick insists.

While it appears that it is a universally held belief among experts and security practitioners that an effective data security policy must embrace all aspects of a business, mobile data solutions do still appear to be a weak spot.  Alwyn Nash, UK and Ireland regional technical services manager for encryption and access control specialist Pointsec Mobile Technology, explains:  ‘Companies go to great lengths to ensure the physical security of an office building with guards on the doors and bars on the windows and the IT infrastructure is secured through all manner of access controls but immediately outside the door of the building, mobile solutions are still being deployed without regard to security,’ Nash revealed.  ‘An engineer’s van or a customer’s site is that engineer’s place of work and just because his ‘desk’ is no longer physically in the building, why should the security of the data that he is handling be treated any differently,’ he added.

Ian Kilpatrick believes that where mobile devices are considered separately to a company’s primary infrastructure the problem is exacerbated.  ‘What we have found is that mobile devices are seldom fitted strategically into an organisation - they were deployed to fulfil a tactical need and so a risk assessment of security implications has never been made and therefore the business is exposed as the risk is not being managed,’ he said.

It is quite evident that when planning a mobile solution, attention must be paid at the outset to issues of device and data security.  Martin Morey, mobile data solutions expert and general secretary of the Mobile Computer Users Group (MCUG), reveals that the choice of the device used can also have a bearing on the likelihood of losing the device and its data to theft.  ‘Consulting for one company that previously had used tablet devices, the level of loss from theft was measurable but it was low because a tablet device is not so attractive a piece of equipment when it is being sold in the pub by the criminal elements.  Once that company migrated to laptop devices, the theft rates increased noticeably.  The more a machine looks like a consumer device, the sooner it is likely to walk,’ Morey notes.

This notion of laptops and Personal Digital Assistants (PDA) having a greater consumer demand throws up an interesting economic quandary for managers to consider.  ‘A purpose-built, hardened mobile device may be many times more expensive than a PDA but since it is not attractive to a thief it will have a far longer working life.  With such a specialist device, the basic software will change less often than a consumer-oriented machine and companies therefore do not need to keep changing bespoke application software.  This more stable environment is cheaper in the long term since companies are not having to manage change and upgrades the entire time,’ Morey explains.

Whatever device is ultimately selected, its physical security is often a good place to start as Gordon Frewin, sales and marketing director of West Sussex-based Autosafe, explains.  ‘Once a company has become a victim of theft then they pay far greater attention to the physical security of their hardware in much the same way as homeowners change the locks and consider purchasing alarms only after the home burglary.  Our Autosafe products are not intended to completely replace a software security solution but when you are considering a holistic approach to device and data security, safeguarding the hardware in the first instance must play a key role in any policy,’ he said.

In addition to the need for device and data security, the provision of secure storage within a vehicle for mobile devices is being championed by a new voice at the board table; the health and safety representative.  ‘Carrying a laptop obviously has the potential to expose the user to the risk of mugging and physical violence in the act of someone stealing the device but increasingly companies are also considering the weight issue and the risk of muscular or skeletal injury.  With the rise in litigation and time off, as part of a company’s due diligence process it is hardly surprising that health and safety is having an input,’ Frewin reveals.

One challenge of physical security is getting the co-operation of the users, but in some cases, a company’s own security policy can itself cause a problem.  ‘Companies may have a security policy that states that a laptop may not be left unattended but it must be conceded that any such policy is intrinsically flawed because it is both impractical and unrealistic.  In a service environment, an engineer performing an upgrade may only require a USB memory device so is he realistically expected to carry a laptop simply to meet policy when the safest place for that device is in a safe back in the vehicle,’ Frewin argues.

Martin Morey suggests that when considering a security solution, close consideration must be given to those who are actually expected to follow the procedures in the field.  ‘What was agreed by people in suits, sitting around a board table may be impractical or considered unworkable at a grass roots level.  An example, perhaps, is dictating that staff use a secure box for a mobile device whenever they finish a call and retrieve the device at the next site.  In the field, what may happen is that the staff use the box at the end of the day or whenever the van is being left for a period of time, but throughout the day, the device is simply hidden from the view of prying eyes,’ Morey says.

Martin Morey notes that the vast majority of portable computer thefts from vehicles are opportunistic crimes that can be prevented by the most modest of security measure, but on those occasions that the thief has the time, opportunity and tools to attack the physical security measures and those moments when the device finds itself unguarded, another line of defence is required.  At this moment, the hardware itself is lost to the criminal; what remains is the need to protect the data within it and to prevent any further loss to the business beyond the replacement cost and lost productivity.

While the need to protect the data appears obvious, a stolen portable may give a thief access to a far greater range of privileged information as Alwyn Nash explains.  ‘The power and capabilities of mobile devices is far greater now than ever before and companies deploying them must now consider not just the data that is held on these devices but also the fact that they can provide an access point to a corporate network.  If a unit is taken from an engineer’s vehicle, the criminal has not just gained the hardware to sell on but, if they are so inclined, can start roaming around a corporate network,’ Nash says.

‘If a criminal gets hold of a device then often the only thing between the criminal and access to an entire corporate network can be a six figure password and programmes exist that are specifically written to crack such a measure in minutes,’ warns Ian Kilpatrick.  ‘Companies must consider using multi-factor authentication, needing both something that the user knows such as a password, and something the authorised user possesses such as biometric data or a key generating token to effectively secure devices and networks,’ he adds.

But it is perhaps the loss of data itself that poses the greatest risk to the modern business - regardless of whether that data is accessed on the mobile device itself or on a corporate network through a portable device.  Companies themselves now realise that it is this data and not the hardware that is the most valuable commodity and it should come as no surprise that criminal elements have reached the same conclusion.  In an age when everything from access to banking, benefits, healthcare and even credit is ruled by computers and electronic algorithms, identity theft is a primary concern for the public and companies must face up to the duty of care and the legal responsibilities that they have to their customers.

But a particular challenge that is faced is a cultural issue as Ian Kilpatrick explains.  ‘Oftentimes, the first a user is aware of the enormity of the issue is when a device is actually lost and stock is taken of the information that is now missing from an organisation,’ he says.  ‘Any employee who left a vehicle with all the doors open, the keys in the ignition and the engine running would expect to be castigated on its theft but people seldom feel the same degree of responsibility to the data that exists on a mobile device,’ Kilpatrick observes.

Companies need to pay attention to the nature of the data stored on each machine as part of a meaningful risk assessment.  Martin Morey explains how this worked in practice.  ‘Many utilities have a hierarchical way of looking at the need for security.  In the first instance, a device may simply contain information on the location of the utility infrastructure and this information is already in the public domain - albeit in a fragmented way - as companies need to know the location of pipes and cables, at which point the main concern is the cost of replacing the device.  The second layer may include copyrighted information and licensed material while the most attention is paid to those machines where even if only temporarily, work management applications are stored which detail customers’ names and addresses and may even detail other information such as whether customers are elderly or vulnerable in some other way,’ Morey concludes.

While hardware and software solutions concentrate on the both the requirement and the ease of transmitting data between users organisations must now consider some far stronger measures to add a significant element of control to that situation.  ‘I have seen USB ports being super-glued and other ports being crimped to prevent a connector being inserted but the advances of modern technology are designed to make it easier to share information because the dissemination of information throughout a company is often what drives business,’ notes Alwyn Nash.

‘Companies need to know where all their sensitive data is but the truth of the modern business is that that situation is now impossible so companies must now be considering access control and data encryption as part of a coherent security policy.  Nowadays, MP3 players and even cameras will come up as a drive letter and with USB memory sticks and PCMCIA drives there are plenty of options for people wishing to remove data from a device.  The only answer is to use a policy driven system that will ensure that any data written to a port will be encrypted,’ Nash insists adding that only by engineering a solution whereby all responsibility for the use of the security measures is taken out of the hands of the user will data ever be truly safeguarded.

Where in the distant past, data encryption was once expensive, slow and cumbersome, nowadays there is no performance hit and the user remains unaware that all the data is being encrypted in the background - a key factor in gaining end user acceptance of any such system but importantly, for those not swayed by the legislative need for tougher security, software-based data security is now affordable.  ‘Mobile IT users, whether in a sales or service environment, are often high value users with high value data and the cost of securing their devices is trivial in comparison,’ Ian Kilpatrick points out.  ‘Looking at a small organisation with a requirement for ten users, the cost of providing two factor authentication combined with encryption would be less than £150 per user.  Bearing in mind that for a SME, the cost of remedying a security breach can be between £15,000 and £20,000 - and that figure can go through the roof for a large, well-known PLC - the cost of securing data is insignificant,’ he maintains.

The self-evident truth is that mobile computers do not need to be the weak point in corporate defences. Companies however must take the time and make the effort in designing a mobile solution that from the outset satisfies the requirements of the users yet effectively mitigates the risk of data and hardware being external to the physical perimeter of the business.  Any comprehensive and successful security strategy is likely to involve a tiered approach of both physical and software-based measures designed to thwart the attentions of both the opportunist thief as well as the more organised and sinister criminal.   The raw statistics show that it may in fact be a probability that an organisation is likely to suffer a loss of a portable device - as with most eventualities in business it is how an organisation prepares for that event which will ultimately decide whether all that is required is an insurance claim or far more costly - and potentially business threatening - remedial action.