Mobile devices such as smartphones, PDAs, and laptops have been an incalculable productivity boon for today’s enterprises. Mobile devices are prized for the flexibility and convenience they provide, while at the same time mobility presents significant challenges for IT administrators charged with managing their companies’ data and networks and keeping them secure – particularly as mobile devices and networks have become more sophisticated and ubiquitous.
IT managers must take a long, hard look at the ways these devices access and store corporate data to ensure they don’t pose a security risk. This article examines some of the primary security issues surrounding mobile devices and suggests what enterprises can do to address them.
Increasing risks to confidential data
According to a recent survey by InsightExpress, business users utilize their smartphones not only for company business, but for emailing, instant messaging, browsing the Web, downloading and sharing files over the Internet, as well as for checking financial accounts. The survey found that the majority of smartphone users (55.7 percent) store confidential personal, business or client data on their devices. More than 54 percent of smartphone owners use their devices to send and receive emails that include confidential personal data; 40 percent access bank accounts using their smartphones; and nearly one-third of respondents access credit card accounts.
Imagine the business impact if an employee’s smartphone, laptop, or handheld were lost or stolen, revealing confidential employee or customer data such as contact information, credit card information, social security data, or credit reports. Such incidents could not only turn into public relations disasters, but could also violate laws and regulations. Consider the potential legal action for a publicly traded company whose employee records, sales reports, or M&A plans fell into the wrong hands.
In addition to loss or theft, security experts are finding a growing number of viruses, worms, and Trojan horses that target mobile devices. Although none of the new attacks has done extensive damage in the wild, many experts believe it’s only a matter of time before this occurs. Within the past few months, there have been several examples of nuisance malware such as worms, viruses and Trojans in the public domain attacking mobile devices.
In the emerging smartphone and PDA markets, the three dominant mobile device operating systems are Symbian, Palm, and Windows Mobile. According to Canalys, an industry-analysis research firm, Symbian’s market-leading share rose to 53 percent in 2004 from 38 percent in 2003. Due to their broad availability, Symbian phones have become malware writers’ favorite target.
While the number of mobile device threats reported in the wild is still relatively small, the types of threats created demonstrate some of the advanced capabilities of these devices. As mobile computing becomes more common and mobile devices become more complex, it is likely that other avenues of attack will be discovered.
A threat scenario
For IT managers, of course, one concern is that a well-meaning road warrior could inadvertently infect the organization’s network with a worm or virus. Consider the scenario of an authorized user with a smartphone or PDA and a secure VPN (virtual private network) connection to the network. Were the smartphone or PDA to be contaminated by a virus before the user established a VPN link, the virus could bypass the corporate firewall and enter the network.
Because of scenarios like that, more and more mobile enterprises are realizing that security and administration policies must be extended to all end points including laptops, smartphones, and PDAs. They need remote interrogation systems to determine whether a device seeking a network connection is really an authorized device. They also need tools that interrogate a device to see if it is current in terms of firewall settings, antivirus updates, and software patches. These security measures are a matter of policy to reduce risk, ensure business continuity, comply with regulations, etc. This should be a policy irrespective of actual threats because it’s a matter of risk management to key business assets, processes and proprietary information.
Another challenge for IT managers is that the inherently small form factors of PDAs and smartphones make them more likely to be lost or stolen. Most users carry critical data on their devices such as emails, address books, meeting notes, and calendar appointments. Also, most platforms come with a simple software-based login scheme that allows configuring a password to protect access to the device. Such mechanisms can easily be bypassed by reading the device memory directly without starting the operating system.
Moreover, as these devices become more powerful, they’re increasingly likely to contain sensitive information. Earlier this year, for example, a laptop containing the names and Social Security numbers of 16,500 current and former employees at a large telecommunications firm was stolen from an employee’s car in Colorado. The chief executive of a leading technology company had his laptop stolen from the podium of a hotel conference room where he had just finished giving a talk to the Society of American Business Editors and Writers. He had been talking with several members of the press only 30 feet away when he noticed the laptop was missing.
Again, the loss of sensitive data isn’t the only concern. As The Washington Post reported: “Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act.” (“Lost a BlackBerry? Data Could Open A Security Breach,” July 25, 2005)