Magnus Ahlberg, Pointsec
Insuring against hardware theft is rapidly becoming pointless and expensive and few companies bother to take out policies because the premiums are now so high. Also, companies are now realising that the true cost of a stolen item of hardware is not the device itself, but the information it contains. No companies are without laptops, PDAs or smart phones these days, so if you want to make sure your company does not become another statistic or victim of data theft here are a few golden rules to follow. Number One: Users must have a mobile Use policy or ensure that the corporate IT security policy has specific provision for mobile devices and is updated whenever new hardware categories such as combined PDA/phones are adopted.
Number Two: Take the responsibility of IT security away from the end-user and centrally manage and deploy it. Work on the premise that no-one can be trusted to safeguard their device. Wake up to the fact that they are just not interested in security. Number Three: Invest in a solution which is usable and flexible. Easy access and transparent encryption that does not slow down a user's device is now available on the market--they'll go to whatever measures to disable the device or buy their own if security gets in their way.
Number Four: Have a blanket approach to security by owning every mobile device that leaves the office and make access control and encryption mandatory. DO NOT allow users to use their own mobile device to store company information. Don't be fooled into believing that they are already protecting their devices with the "factory" password settings or encryption. Nine times out of 10 they won't be. Record the serial numbers of all PDAs and similar devices including memory cards.
Number Five: Be realistic with passwords--Users hate them! An enforced, long and difficult, password will result in users writing it down or forgetting it. If they can choose themselves...