RedCannon Security, a trusted provider of centrally-managed, secure
mobile-access solutions for the enterprise, today announced the
Six Laws of Mobile Security.

The Laws are a common sense framework for how enterprises can 
assess their mobile security best practices to protect private data, 
while enabling the use of mobile devices such as USB drives.
Until recently, the proliferation of small and inexpensive mass 
storage devices and their potential for data loss had been under the radar of most
senior managers. The prevalence of laptops, PDAs, and other mobile devices
in the enterprise coupled with the explosion of wireless connectivity
options, has led to significant support issues and security risks. Mobile
devices need to be managed and secured. While the cost of replacing the
devices is relatively insignificant, more and more users store sensitive
information on these devices, and therein lies a serious data leakage
threat. The fact that mobile devices can introduce malware including
keyloggers and Trojans into the corporate network compounds the problem.
The majority of companies have not taken steps to address these issues.
According to a recent analyst report, only 9 percent of companies have
deployed mobile management tools, while another 20 percent are piloting or
plan to deploy mobile management tools within the next 12 months.
Additionally, about 40 percent of enterprises have no policies in place
regarding mobile security.
The Six Laws of Mobile Security includes best practices and tips for
enterprises worldwide, as they seek to improve their mobile efficiency,
reduce remote access threats and prevent data leakage:
1. Define Acceptable Use -- Organizations must implement security policies
for portable devices that cover remote access, authentication, device
storage, acceptable use and encryption.
2. Educate Employees Frequently -- Often, employees see security policies
as barriers to productivity, unless they fully understand the risks and
the importance of reducing these risks. Security awareness campaigns
are key to helping staff understand the reasons for the policies and to
become active partners in security. Education programs should focus on
the risk the policy is designed to mitigate and demonstrate how
appropriate controls protect the employee. Training programs should
also be augmented with regular communication of new threats,
vulnerabilities, policies and individual accountability.
3. Manage Mobile Devices Centrally -- Many organizations are not even
aware of the number of devices connecting to their networks, or from
where. Centralized management of mobile devices enables organizations
to track usage and enforce security policies remotely, including the
ability to lock a mobile device after a number of incorrect attempts to
guess a password, or destroy data when a device is reported lost or
stolen.
4. Encrypt Mobile Data -- Before implementing a security solution to
manage ports and control devices, IT managers should also sketch out
how encryption fits into their plans, including how encryption should
be implemented, who must encrypt data, from where users can access
encrypted data, and how much responsibility falls on the user to
encrypt data.
5. Control Ports -- Companies must control USB ports to ensure that only
authorized drives are used with corporate computers. However, the
knee-jerk reactions of the past, such as gluing USB ports shut or
otherwise disabling USB ports, can impact productivity significantly.
This is also no longer viable because these ports are required for key
peripheral devices including keyboards, mice and printers.  Employees
need access to these ports to do their jobs. IT professionals should
employ a whitelist approach, allowing only authorized devices to
connect.
6. Secure Remote Access -- Mobile security programs should include defined
policies for remote access, including acceptable network connection
methods and authentication policies. Who is allowed what type of
access, and to what specific data? One way to extend secure
authentication beyond passwords is to implement some form of two-factor
authentication, and secure, one-time passwords such as SecurID tokens
from RSA.