Data being leeched from company databases by less secure mobile devices is a common occurrence, making data leakage the big technology issue of 2008. With the increasing use of mobile phones, PDAs and laptops as work tools, important company data is removed from the office every day.

This increase in data sharing promotes an environment suitable for data leakage and is aggravated by the associated use of hot-desking, home working and wireless hotspots. It is further complicated by the shuttling of data back and forth between staff on USB sticks, CDs, DVDs, backup tapes and even iPods. As a consequence, security breaches are on the increase.

Whether it is HM Revenue & Customs losing 25 million records on CDs, the Ministry of Defence losing details of 600,000 servicemen and women in a lap-top theft, or the recovery (from beside a bicycle shed) of a USB drive containing the personal details of Perth & Kinross Council workers, cases of data loss appear with uncomfortable regularity.

The Payment Card Industry Data Sec-urity Standard (PCI DSS) that is currently being implemented, as well as the forth-coming governance regulations in the Companies Act, will force UK businesses to focus on the problem of data leakage.

Public knowledge
Unlike many other parts of the world, in the UK there is no requirement to disclose data breaches. The Identity Theft Resource Center (ITRC) reports that data breaches doubled to 167 in the US during the first quarter of this year, compared with the equivalent a year ago.

That figure is probably similar in the UK, even without the ITRC figures accounting for the encrypted files that may have been compromised. However, there remains no real breakdown of the number of breaches that are directly related to mobile data.

In all fairness, and in terms of numbers, the incidence of data breaches as a result of mobile device theft is perhaps not as high as scaremongers would have us believe, simply because it is not as anony-mous as covert internet hacking. If someone wants to steal data, doing so by taking a laptop means they run the risk of discovery, perhaps being seen by someone, or monitored on a security camera. But it does happen, and the theft of one laptop can do more to expose a company’s data than any concerted hacking or social engineering exploit.

However, theft of mobile devices is a problem for many reasons, not least of which is because access permission is often set on the mobile device and there is no local security to prevent a thief from booting up the computer. For this reason, even allowing remote access can open a back door to systems.

Maxx hack
The biggest hack to date is the well-publicised attack on retailer TJ Maxx, where an estimated 45 million customer records were stolen. The attack started by compromising a wireless LAN that only used Wired Equivalent Privacy (WEP) encryption that can be cracked within 10 minutes by an experienced hacker.

The compromised network allowed entry to other systems and the breach has, according to the company, cost an estimated $12m (£6m), but analysts believe this may actually stretch into more when the full cost of the remedial work and harm to the brand is taken into account.

However, before the issue of mobil-ity can be addressed, it is necessary to understand the extent of the problem by taking an audit of all the mobile devices used within a company. Capricode has developed SyncShield, one of a growing number of mobile device management products that help to manage smaller mobile devices such as smartphones and PDAs. “The first step is to get information on the types of phone you have and the software used into one database. And while you can do it with Excel or with asset management products, it entails extensive manual work,” says Erkko Vainio, business development director at Capricode.

“A mobile device management product which is really designed for business use can allow you to collect the information over the air after you’ve installed a client on the phones,” explains Vainio.

According to Vainio, this could extend the problem as it introduces some unpleasant surprises. “You may find that some people, even though most will have business phones, will be using their own private phones. This means that even though a company may have issued, for example, Nokia phones, the actual mix could include iPhones and BlackBerries.”

Vainio recommends limiting the number of operating systems and phone models to make the system more manageable. “When you commission a new laptop, it will have been standardised so you have a limited number of configurations. You can decide what kind of software you want to have on it and what the settings should be, whether it’s done by the reseller or using your own image. This is what IT managers know how to do, and this is what to aim for with the smartphones as well,” he comments.