|
 |
|
General Information
|
Add To My Personal Library |
August 27, 2010
• Vol.32 Issue 18
Page(s) 1 in print issue
|
Security For Mobile Devices
Increase In Use Brings Increase In Risks
|
| Key Points
• Phone loss is the biggest security threat to mobile devices.
• Encryption is one of the safest ways to protect data on your smartphone.
• Corporate leaders should know how employees are accessing the network through their mobile devices. | | The smartphone has become almost as essential for business as the computer. And why not? Most people can do the majority of their computer-related work on their phone, and it’s a lot easier to get through airport security.
“Today we have so many people who want to bring their smartphone or their iPad into the workplace. They don’t want to carry two devices, and they want convergence,” says Hugh Thompson, chief security strategist at People Security (www.peoplesecurity.com). “On the corporate side, there is motivation to let the employees have what they want. If you can give them a stipend to use and maintain their own phone, that’s appealing.”
Not surprisingly, then, with the increase in use comes an increase in security risks.
However, before a discussion of the risks and how to mitigate them can occur, an enterprise needs to come to a conclusion on who controls the phones. As Thompson says, letting employees use their own mobile devices can save a company a lot of money, but then how much, if any, control can the company expect over what applications are downloaded or who borrows the device? If the company owns and regulates the phone, it is in control of how it is connected to the network, but that comes at a large price tag"something to consider during hard economic times for SMEs.
 Biggest Threat
Overall, the biggest security threat right now is loss of the device, which is then compounded by not immediately reporting the loss of the phone. Most people will search for their phone, sometimes for days, before admitting it is gone. That means the phone and all its data could be in the hands of someone else.
Hence, the need for some type of encryption. “Enforce encryption on smartphones used for company business,” says Edy Almer, vice president of product management at Safend (www.safend.com). “That way if the device is lost, you know the data is protected.”
Another way to protect a lost or stolen device is through the ability to wipe the phone clean or otherwise remotely control the data on the phone. However, not every phone has the same level of management capability, and it is one of the reasons companies consider providing (and choosing) a device, says Chris Hazelton, research director at The 451 Group. “BlackBerry continues to be the top choice of companies who have to access confidential information through a mobile device, because there are over 450 management policies for the BlackBerry device.” That’s compared to less than 20 management policies for iPhone and even fewer for Android.
The hype of the iPhone 4 points to another potential risk. “There are workers who are buying new phones every year, with expectations of the phone having access to corporate information,” says Frank Kenney, a former Gartner analyst who is now vice president of global strategy at Ipswitch File Transfer (www.ipswitchft.com). “If I don’t give them access in a proper way, they’ll create proxies or look at other technologies to give them that access. That’s when we get into trouble.”
It’s better to use what you have for a while longer or at least wait until the upgraded phone is on the market long enough for the IT and security folks within the company to come up with a security plan.
And that leads to governance issues and risk. “We need to know exactly which employees are on the network and which employees are using resources through their mobile device,” Kenney says. “I have to build better governance capabilities around the data they are accessing so I can see where they are coming into the network and how they are using the network. The worst thing you can do is just say you have control so no one will do anything I don’t want them to do. That’s naïve, and it won’t work.”
Attacker Focus
Attackers are also focusing more effort on mobile devices. “There is a huge concentration of valuable data on mobile devices now,” Thompson says. “And now there is the consolidation of platforms. We see iPhone OS emerging; Android is emerging as a big player. When you see more standardization of platforms, it makes it easier for an attacker to make a choice on where to spend their time.”
Beware of app downloads and the information that is stored in them. Hazelton gives this example: “Citibank had an iPhone application that stored some banking information on the device in a secret file. That’s since been removed on the latest update, but that information was stored on the phone.” It’s better to have information that is stored in the cloud, he says.
Antivirus companies are beginning to address the increasing potential of malware written especially for mobile devices. The software can add firewalls, block SMS spam, and provide theft/loss protection.
To best protect the device from security risks, Thompson says the first step is to understand that there is a risk. “People will think twice about lending a laptop to a friend or forgetting it in a bar, but there is a different behavior with phones. It’s easier to forget it somewhere or loan it to someone.”
And although there are plenty of warnings about doing sensitive work on Wi-Fi, smartphone users too often believe that they are insular to the risks. The basic rule of thumb, Thompson says, is if you wouldn’t send data or visit a Web site on your laptop, don’t do it on your smartphone.
Users are often lazy where phones are concerned, Kenney says. That’s why it is important that enterprise security policies are regularly updated so they include any upgrades as well as new or emerging technologies such as the iPad.
“Employees need to accept the fact that more and more of their work life is being embodied in these mobile devices,” Kenney adds. “And they can’t be lackadaisical about using or leaving these devices just anywhere.”
Mobile devices are still relatively new to the enterprise and the way business is conducted, and the vast majority of users haven’t been breached. But as the use of mobile devices continues to grow and more employees take advantage of the phone to work outside the office, the risks are sure to increase. As The 451 Group’s Hazelton says, “Better to actively manage your mobile devices and keep them from risk now, because the bad guys will surely take advantage if you don’t.” 
by Sue Marquette Poremba
Tips For Improving Mobile Device Security
Matt Sarrel, IT expert for Allbusiness.com, provides the following tips for improving security on mobile devices:
• All corporate mobile devices should be managed by IT, or at least IT should set the security policy and make sure it is followed.
• Mobile devices are important not so much because of the device, but because of the data on them and the access they provide to server-based systems. The cost of a lost BlackBerry is nothing compared to the damage that could be caused by your entire client and senior management contact info being leaked.
• Mobile devices should require a password or PIN to be unlocked.
• Users should not store Web and intranet passwords on mobile devices.
• Encrypt built-in and removable storage. |
|
|
