Wednesday, April 01, 2009


The power of mobile computing has resulted in tremendous work flexibility and productivity. Tools such as laptop computers and sophisticated mobile phones have allowed us to perform functions that were previously unachievable. You are now able to conduct professional corporate presentations while visiting clients or updating budgets while on vacation among many other work related activities.

Mobility unfortunately has brought new and serious challenges in the areas of corporate security and information privacy. It is now common practice for companies to issue laptops to employees as replacements for their desktop computers. Powerful mobile phones are also provided so as to maintain constant e-mail communication. This has resulted in vast volumes of corporate information being delivered and stored electronically.

A dramatic upsurge of laptop theft has been witnessed in Nairobi. These device losses pose a serious risk to both the owner and company. Personal and trade secrets can easily fall into the wrong hands. Beyond the loss of hardware, the greatest concerns are often the value of data and the unsecured enterprise access available through a company laptop. Corporate data obtained from a stolen laptop can be sold to competitors. Unauthorized access to a company’s customer database can be achieved by use of a stolen laptop. Your personal data can also be used to commit identity theft.

These scenarios demand a layered approach to mobile computing security where data protection is also included. This approach encompasses Compliance, Protection and Recovery.

Compliance is the ability to comply with applicable mobile data protection regulations and to provide an easily accessible audit trail. To ensure compliance, companies must protect data, track the mobile hardware (and their users), provide auditing capacities and maintain historical records. The Kenya Communications Act and the Communication Commission of Kenya’s regulatory framework are good starting points. Non compliance will expose the organization to law suits in the event of data loss.

Protection is the ability to prevent mobile data losses from occurring. Data loss from a stolen laptop can be prevented by encrypting mobile data. Encryption, however, fails to protect sensitive information in cases of internal theft. In instances of external theft, encryption only delays access to sensitive information. To ensure total protection a multi-faceted approach of combining encryption, strong authentication and deployment of asset-tracking software will ensure aggressive protection.

Asset-tracking software tools are able to track and recover laptops that are lost or stolen. They also monitor any changes or disappearances in computer memory, hard drives or peripherals.

Recovery is the ability to recover lost or stolen mobile data, to retrieve lost or stolen devices and return them to the control of the organization, and to facilitate prosecution. Companies should have in place procedures that include law enforcement officials in the recovery of these devices. A fully functioning Cyber-Crime unit of the Kenya Police would be able to increase the asset recovery and prosecution capacity. Subsequent prosecution would act as a powerful deterrent against future theft.

This multi-layered approach will go a long way in ensuring that mobile asset and data protection controls are in place and reduce the exposure of legal action due to device loss.

No comments: