By Jim Rapoza
For many business professionals today, advanced smartphones such as iPhones, Androids, Windows Mobiles and BlackBerrys are the primary way to access company resources and applications.Ask modern business users to choose between their smartphones and their laptops, and quite a few would happily toss the latter away.
There are various benefits to mobile computing: It cuts operational costs and boosts productivity, since road warriors can connect anywhere at any time. Many businesses therefore welcome mobile devices into their environments, with some even designing “mobile-friendly” core enterprise applications and systems. But when employees access these resources with their personal devices instead of IT-issued smartphones, mobile computing can also pose serious data-security risks.
Smartphone security: Mobile devices and the high risk of data loss
Take one employee’s smartphone and ask yourself this question: If this phone were lost or stolen, could someone access its data?
Most mobile devices have a screen lock, which requires a PIN or unique gesture to unlock the phone. But if this feature is disabled or the user has opted not to turn it on, the device is unlocked and unsecure. Does it have email and other applications for accessing different enterprise applications—and are they preconfigured for automatic login? If yes, every company mail server, network, data resource and enterprise application is open to attack.
And what about sensitive documents and files stored on the phone? Are they encrypted or stored in an automatically encrypted folder? If not, they should be.
If employees use corporate-issued mobile devices, are there controls and policies to prevent them from installing their own applications? On the other hand, if employees are allowed to use their own mobile devices, can their personal applications reside next to corporate applications that access corporate data? Have you checked to make sure these personal applications are legitimate, and not malware?
These questions suggest just a few ways data can be compromised if a phone falls into the wrong hands. But criminals don’t need lost or stolen devices to pose threats to mobile workforce.
While still in its infancy, mobile malware has been on the rise recently, and this trend will likely continue.
Fortunately, the current mobile market may help limit the spread of malware. Since there’s a wide variety of platforms from which to choose—Apple’s iPhone, Google’s Android, RIM’s BlackBerry and Windows Mobile, to name a few—there’s no “Windows-size” target out there for malware writers.
And because major vendors like Apple and Google maintain application markets, it’s harder to spread infected programs.
However, given the potential rewards (e.g., using smartphones as payment systems for purchases), malware writers are bound to figure out ways around these obstacles. Some already have:
- In February 2011, a new Trojan horse for Google’s Android OS was found in Chinese third-party applications stores, where it posed as legitimate programs.
- In early 2010, Google found and removed banking malware from its site after discovering a wallpaper application had gathered information on more than 1 million Android users.
- Researchers at the BBC put together their own smartphone spyware with ease and demonstrated how simple it was to crack the encryption on mobile phone conversations, providing the ability to listen in on private and sensitive calls.
These days, most mobile malware stems from third-party sites and markets. However, as open applications and Web-based systems, such as HTML 5, become more common—meaning malware creators won’t have to worry about application markets or other closed systems—the threat of mobile malware will likely increase.
Mobile device security challenges
Deciding to secure your mobile workforce is one thing; pulling it off is quite another. There are many issues to consider, including these:
First, if your organization doesn’t have a standardized mobile computing platform (two maximum), it needs one. Trying to support and secure multiple types of mobile devices can quickly lead you down the path of being unable to support and secure any.
Second, weigh ease of use against security concerns. Security-conscious workforces, such as those in defense industries, accept secure logins and encryptions as a given. However, employees in other business sectors may see these tools as something to sidestep in order to have the ease of use they expect from their smartphones.
Third, can you control what applications your workers put on their mobile devices? Setting a policy that permits only approved applications on company phones is a good step; actually preventing employees from installing “Angry Birds” is a much tougher task.
How to protect your mobile workforce
You understand mobile-computing threats and mobile device security challenges. So one questions remains: How do you secure your business’s mobile devices? Let’s review five actions you can take to reduce mobile security risk:
- Most smartphones systems are remote-wipe capable, so make sure your IT department has the information and tools to wipe sensitive data from a lost or stolen phone. Also, seek out configuration-management tools for your smartphone systems: In some cases, these tools will let you set up robust secure profiles and keep users from circumventing security measures.
- Use whitelists to prevent use of unauthorized applications. It’s a best practice to enforce your application policy through actual configuration; however, if you don’t have the time or resources, you can also use a posted list of approved applications.
- Investigate your encryption options, which can range in strength from very good—including full-system encryption—to nonexistent. If strong encryption isn’t possible on employee devices, look to access and rights policies that prevent data from being stored or even transferred to devices that lack full-security approval due to poor or no encryption options.
- Consider using virtual machines: While primitive at this time, they may become a key way to deliver company resources to mobile devices securely.
- Stay up to date on the latest endpoint security tools. Every security company recognizes the risks that mobile devices pose and many are introducing robust security technologies for smartphones.
Smartphones and other powerful mobile devices aren’t going away. In fact, most predictions have them becoming our primary communication devices, while traditional PCs and laptops fade in importance.
Eventually, mobile devices will have their “CNN moment,” whether it turns out to be malware that attacks smartphones around the world or a major security weakness that leads to massive data theft.
But while some businesses will be the inevitable victims of such an event, others will avoid the worst because they took the steps necessary to shore up their mobile device defenses.