Clearly, the trends found by Senforce Technologies and outlined in this release seem disturbing. The company found that 73 percent of respondents attending the 2007 FOSE and InfoSec World trade show say that their organizations house corporate data on laptops, thumb drives, iPods or other portable end points.
A minority of decision makers -- 44 percent -- are comfortable with their organization's wireless, malware, endpoint security and data encryption strategies. Twenty-three percent reported a breach within the last 18 months, while 25 percent didn't even know whether or not their company had lost data.
Those are sobering numbers, to be sure. But a closer look shows a slightly less ominous scenario. For instance, it's not surprising that at this point three-quarters of companies store data on portable devices. Likewise, since the survey was conducted at a trade show, a lack of knowledge about data breaches within a company may be a function of who happened to respond -- not poor security management.
This may be a case of damning the survey with faint criticism: The numbers are bad, but they should be expected to be bad, so there is no news here. The reality is that that what Senforce found should be reinforced until the situation changes: The complexity of corporate security is rising in proportion to mobility and mobile equipment, while the efforts of IT folks to deal with the issues apparently aren't.
To a certain extent, this reality should frighten corporate security managers. But, to a greater degree, it should rouse them to action: A new model of security is needed, one that is based on a landscape in which the IT department has only a vague idea of what is connecting to the networks over which they are paid to run herd. This IT Week story does a good job of summing up many of the issues, including the observation that new employees increasingly will arrive with their own mobile technology and expect to simply plug it into the corporate network.
The model must start with rich endpoint security features. Corporate policies that simply state what types and how mobile devices are allowed to be used are insufficient. These policies will mean no more than the paper on which they are printed until there are tangible ways of protecting the corporate networks from mobile devices capable of storing data.
This all points to the efficacy of network access control (NAC) technology, encryption and other technologies that, if configured correctly, essentially assume all devices trying to latch onto a network are guilty until proven innocent. This protection must exist both inside and outside the firewall.