Unilever Builds Mobile Security from Scratch

By Beth Mcfadden  |  Posted 2006-05-15

In March 2004, senior management at Unilever demanded handheld mobile devices for the company's top 1,000 executives to increase their productivity. For Tony Farah, director of global solutions, this project posed major headaches; Unilever, a $54 billion manufacturer and supplier of consumer goods, operates in 57 countries and has executive teams spread across Europe, North America, Latin America, Asia, Africa and the Middle East.

Another complicating factor: Handheld devices pose significant threats to business security because of their proliferation in the workplace. Research firm Forrester says that more than half of North American and European firms have adoptsed some type of mobile application. As a result, Forrester predicts that 2006 will bring a number of high-profile security incidents involving mobile devices.

Often, smart phones and PDAs, particularly those used by CEOs and senior executives, contain highly sensitive corporate data like sales figures, as well as customers' confidential information including Social Security numbers, phone numbers and e-mail addresses. Because handhelds are so portable, they're easy to lose or steal. They can also operate in a number of environments with multiple modes of network and Internet connectivity, such as Wi-Fi or digital cellular wireless services. This, in turn, can translate into a greater number of illicit access points for hackers or intruders, and result in data thefts and financial losses for the firm.

According to the most recent Computer Security Institute/FBI Computer Crime and Security Survey, financial losses from certain security breaches are growing quickly. The average loss from theft of proprietary information increased 110%, to $355,552 in 2005 from $168,529 in 2004, while the average loss from unauthorized access to data increased 488%, to $303,234 in 2005 from $51,545 in 2004.


Finger Off the Panic Button

Farah and the nine members of the Unilever team didn't panic; they knew they had an opportunity to determine the company's policy on mobile devices. Their first step was to decide that from a security perspective, a mobile handheld device would be treated no differently from a laptop. "We used our laptop policy as a base," Farah notes. "Our laptops have password time-outs, so we decided that any device we selected would have the same protection." In addition, Unilever has a general policy that no e-mail can leave the company's network without being encrypted.

The team married these premises with several business requirements for the device itself: the ability to use voice and data capabilities on the same device; roaming capabilities so the device works internationally; the ability to view attachments, such as Word files; and a battery life of more than 4 hours. The team then consulted the company's telecommunications outsourcing partner, British Telecom, which has a seven-year contract that began in November 2002 to provide Unilever's wireless area network, local area network and wireless services.

The next step was to roll out a pilot program in June 2004 at Unilever headquarters in London. Only 20 senior executives took part in the program. The small size of the user group allowed the technologists to better control the rollout of the pilot and to test the devices at the same time as the executives.

Farah and the team decided that the pilot would exclusively use the BlackBerry 7200 handheld from Research in Motion (RIM). The team based its decision on recommendations from researcher Gartner that ranked RIM as the leader in its category, according to frequency of product upgrades and new releases; support for heterogeneous e-mail servers and architectures; synchronization mechanisms for e-mail; the number of wireless networks supported—for example, General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA) and Wi-Fi—and security features like encryption and data control.

Unilever's pilot program spent approximately $2.5 million for the BlackBerry 7200s and BlackBerry Enterprise Servers. During the testing phase, Farah's team collected feedback from the executives on the BlackBerry's screen size and keyboard. The majority of executives said that both were satisfactory. Additional questions focused on the BlackBerry's functionality, such as whether the executives had been able to download attachments and view them, and if the Internet's browser's viewing capability was acceptable. The majority of executives gave the BlackBerry a thumbs-up based on these functional criteria as well.

A final set of questions focused on the security of the device itself. An overwhelming majority of the executives agreed that the security procedures for the BlackBerry were reasonable, and that it was practical for them to cradle their device every 30 days to create a new security key.

In September 2005, the pilot moved into production for a larger group of executives. Prior to this rollout, the team analyzed all of the hardware devices RIM offered and selected three, the 7100, 7290 and 8700, as the standards. They were chosen because they were the models that best met the original business requirements. Unilever also requires that employees procure their BlackBerrys through British Telecom. A key factor in the deployment, according to Farah, was requiring every employee to use the company-specified device. "No one can deviate from these standards, and if they do, they won't get support," he says.

John Pescatore, vice president of Internet security at Gartner, applauds this best practice. He notes that 90% of firms can't dictate their employees' mobile hardware use: "Choice of devices is driven by user preference, which makes it very hard to standardize."

No Deviations on Security

Unilever decided that it was important to have a strict and consistent security policy. "BlackBerry's operating system has the best security features compared with other wireless e-mail vendors," Pescatore says. He notes that BlackBerry is a closed environment with a proprietary operating system. This allows information-technology managers to set default parameters so, for example, users won't be able to open attachments sent from their desktop, which cuts down on the number of viruses that may infect the company's network.

Unilever users are automatically prevented from installing any third-party applications on their BlackBerrys. The security settings also prevent the use of any other e-mail programs or browser services, which means all outbound e-mail and browser traffic is routed through the BlackBerry Enterprise Servers. Those servers use 128-bit encryption and are Secure Sockets Layer-compatible. Split-pipe connections are likewise prohibited, which means that applications running on the BlackBerry operating system can't open both internal and external connections to the Internet. This would allow a malicious application to surreptitiously collect data from inside the firewall and send it outside the firewall without any auditing.

The firewall monitors all traffic and checks if users are forwarding their e-mail to non-corporate accounts. "If we discover someone's doing this, we tell them to stop, because once we have e-mail passing from a home network through our corporate network it is unsecured," Farah explains.

No technology installation is without hiccups, however. After the pilot moved into production in September 2005, Unilever installed a BlackBerry Enterprise Server to process and encrypt messages in each of its Microsoft Exchange environments. It also instituted two security protections on the BlackBerry devices themselves:

• A time-out after 15 minutes idle; a user must then input his password again to regain access to e-mail or the phone.

• A lockout and complete wipe of the device after 10 password log-in attempts.

"I started to get a tremendous amount of pushback from executives who didn't want to enter the password when they were using the BlackBerry as a phone," Farah explains. To accommodate those users, the company's I.T. group allows them to carry a BlackBerry for data and either a cell phone or smart phone for voice. "One of the original business requirements was that executives could use the device for both voice and data; for some of the executives, we had to give up on that," he says.

The program has now been underway for almost two years, with a recurring annual cost of $70,000 and more than 450 executives enrolled. Another 550 executives will receive BlackBerrys this year. To date, there have been a few lost and stolen handhelds but no major security breaches, according to Farah.

This puts Unilever way ahead of the curve, Pescatore says: "What they're doing is above and beyond best practices."