Laptops are the main business tool for most mobile workers, and connecting those devices to the Internet via free public Wi-Fi hotspots has become common practice. So how well do your mobile workers follow security guidelines for safe mobile computing?
To find out, we went directly to the source. We visited airports, restaurants and coffee shops and asked people about the security measures they were taking to protect their laptops.
We asked whether the laptop was personal property or provided by work, whether it was being used for personal or work projects, what kind of security training the users had been given, and other details about Wi-Fi use and general laptop safety. Because we tracked no personal details beyond the user's first names, people seemed open and fairly honest with their answers.
The results should scare any security professional. Many users have little idea what security features their laptop has, and only vague notions of safe computing practices. Before we get to the real horror stories, let's start with the end users who exhibited the best Wi-Fi behavior.
Timothy: B+
Every IT exec who has laptop users on the road would be happy to hold Timothy up as an example of smart laptop use. Sitting in the Los Angeles airport, plugging his laptop into his cell phone, Timothy did most of the right things to protect laptop safety.
“All the company field service engineers have to be A+ certified,” says Timothy, a technician for a medical device manufacturer. “IT installs security software and we get occasional memos about safety, but we all understand security and are pretty careful.”
Because the Los Angeles airport doesn't offer free Wi-Fi, Timothy uses the Sprint cellular data network through his cell phone. But when free Wi-Fi is available, in the Denver airport for example, he takes advantage of it.
Checking his company e-mail, Timothy says he has access to a VPN for connecting back to the company network, but wasn't using it at the time. His employer provided the Dell Latitude D520 running Microsoft Windows XP, but Timothy admitted using it for personal business as well.
Timothy's laptop had a password that appeared before Windows loaded. He wasn't sure if that was for a system-level password or a full disk encryption product.
Kurt: B
Then there's Kurt, CFO for a regional restaurant chain. Kurt loves free Wi-Fi if he can get it, and refuses to consider paying for any type of cellular data network plan for himself or any of his users. “If I can get by with free Wi-Fi as much as I travel, so can everyone else,” he says.
Sitting in the Dallas Ft. Worth airport, Kurt was buying a single day pass for T-Mobile Wi-Fi access. His Dell Latitude 630, company equipment, was running Windows XP.
“We use a Blackberry or a smart phone for our e-mail, so laptop connections aren't that critical,” says Kurt. He does use his company laptop for personal projects, but answered with a quick emphatic “no” when asked about online banking over public Wi-Fi. “I can start a VPN to our company accounting server if I need to, but that's all the connections I have to work,” Kurt says.
His refusal to consider using a cellular data network from one of the major cell phone providers may be an example of a “looks good but smells bad” business decision. When users search for free Wi-Fi networks, they open themselves to a variety of interception hacking techniques, particularly if they connect to an Ad Hoc network by accident.
Buying a couple of T-Mobile day passes and paying for three nights of hotel Internet access during a month will cost Kurt the same amount as the monthly cellular data network fee. Users spending $60 on laptop connections per month will benefit from a cellular data network's flat and predictable pricing models, and be at least a bit more secure than searching for an open public Wi-Fi network.
Rebecca: D
In a Panera Bread, Rebecca sipped tea while using her Acer 1640Z laptop running Windows XP. She uses her personal laptop at both her jobs, a hospital and a local college where she teaches part-time.
She uses public Wi-Fi for e-mail and Web browsing. She says she doesn't have a way to connect directly to the college network from a remote location, but does access several systems via their Web interface.
When asked about her link to the hospital, she said, “I use sit something, like citrus, no, Citrix.” She said her hospital IT department installed the Citrix software and some security programs, but she had no idea what they were.
Here we have a laptop going between two heavily regulated industries demanding care with client records, a hospital and a college, and physically and remotely connecting to each network. Rebecca's laptop had no physical security, such as a system boot up password or any level of disk encryption. The type of information that could be easily accessed on that laptop if stolen, or the data easily intercepted with any of a dozen Wi-Fi sniffing tools, makes us shudder.
Brad: D
Then there's Brad. He proudly showed off his 9-month-old Dell E1405 laptop running Windows XP as he sat in a Panera Bread restaurant and used its public Wi-Fi. He bought the computer himself, but uses it as his main computer at the church he works for, as well. That means everything he does with his laptop at Panera Bread goes with him to the office and plugs directly into his office network.
“I do everything on my laptop,” Brad says. “E-mail, blogs, Web research, check my bank accounts online, both personal and for the church.” He may have realized the security implications of that statement when he later said he never lets his browser save username and password for Web sites he visits.
Jay: C
Jay used his older MacBook running OS X 10.5 to read e-mails while sitting at the Cafe Express restaurant in Dallas, a busy Wi-Fi hotspot. A self-employed musician and event planner, Jay worried little about security problems with public Wi-Fi because, “It's a Mac.”
Officially a work computer, he uses the device for all personal and work activities whenever he leaves his home office.
To prove he was worried about the loss of his laptop, Jay offered to show us the Kensington laptop lock he had in his computer bag. Unfortunately for Jay, the bag actually contained two spare audio equipment RCA cables. But Jay deserves points for being more concerned about physical laptop safety than anyone else we met.
Lessons learned
Summing up, laptop users we interviewed seem unconcerned about security when using public Wi-Fi networks. Those who have work laptops still use them for personal business, and those who use personal laptops for work take few security precautions.
No one volunteered that they used a firewall, although a few knew they had one when asked. No one understood the amount of casual and targeted Wi-Fi hacking that could have been applied to their communications during our conversation.
Because the majority of data breaches reported in the news start with some type of lost laptop (Laptop Loser's Hall of Shame) we expected to hear several people tell us about full disk encryption on their laptops. None did, although Timothy may have full disk encryption and not know it. None used any type of data folder encryption, either.
None of the laptop users we interviewed used any type of laptop labeling or tracking service to greatly increase the chances of getting back a lost laptop. Since nearly 12,000 laptops are lost or stolen at U.S. airports each week, the changes are good a regular traveler will lose a laptop before long. (Read a related story about 10 of the worst moments in network security history.)
Label tracking services affix a permanent label to laptops with a unique ID and a toll free number and URL. When someone finds a lost laptop, the service arranges to ship the laptop back to the owner, and rewards the finder. With business laptops still in the $1,000 to $1,500 price range, getting laptops back can save some serious money.
Tracking services also help return laptops, but focus on those grabbed by thieves. Hidden software “phones home” whenever the laptop connects to a network to report its location. When reported stolen, the tracking service pinpoints the laptop location and informs the owner, local police or both. The market leader in this area, Absolute.com, claims to have returned more than 5,000 stolen laptops, including over 200 in one week in 2007.
Preaching abstinence
As part of our research, we spoke with John, a security manager at a major financial services institution (names concealed for security) and asked about his rules for company supplied laptops. They're the harshest we've seen, and would certainly surprise the laptop users we interviewed.
“No public Wi-Fi, ever,” John says. “We use only cellular data networks for that extra bit of security. We block the USB ports on the laptops, and block the CD-DVD drives. If you can load a program, you can get infected. When your laptop gets infected, you bring that infection to work.”
At a Starbucks, we found an end user who subscribed to John's abstinence theory. He was using his personal, older-model Gateway laptop in a Starbucks. “I never use wireless anywhere,” he says. “Not at home, not at work, and certainly not in public,” he said as he plugged his power cord into the wall.
Of course, there's a middle ground between using public Wi-Fi promiscuously and going the abstinence route. Users can practice safe surfing by following accepted best practices that include firewalls, encryption, VPNs and physical security measures to protect data in the event that a laptop is stolen or lost.
