Viruses are yet to become a major threat to mobile
devices, but careless users and poor configuration could jeopardise
company data. Helen Beckett reports
Mobile computing is changing the way businesses are organised
and workers communicate. But it is a low key revolution: the
infrastructure that enables it - wireless networks and miniature
computing devices - is largely hidden from view.
There are hidden dangers in this quiet revolution. Because
mobile computers are small they are often treated carelessly by
their users. And because wireless networks are easy to implement,
anyone, however ill qualified, can have a go. The net result is
frequent instances of unsecured mobile computing.
By 2008, 75% of the sales and services workforce worldwide will
be mobile, according to analyst firm Gartner. IDC analysts are even
more upbeat, forecasting that 66% of the workforce will be mobile
by 2006, by which time there will be 100 million mobile workers in
Western Europe.
Nonetheless, a study by Quocirca found an alarming lack of
respect for mobile devices by their users. "The smaller the device,
the less reverence users have," says Rob Bamforth, principal
analyst at the research firm.
Carelessness by end-users was widely reported by respondents,
one of whom suggested mobiles and personal digital assistants
should be attached to users with string, like children's mittens,
for safekeeping.
Bamforth says the level of respect for any device should be
determined by its functionality, not its size. "There is a consumer
electronics, 'disposable' feel about a PDA. But the value is not in
the hardware, it is in the intellectual property" he says.
According to the Mobile Industry Crime Action Forum, more than
700,000 phones were lost or stolen last year, it . It is all too
easy to lose or leave a device in the back of a taxi and, because
handhelds are perceived as more personal devices, security is often
left in the hands of users.
Although laptops have been pretty much locked down through
anti-virus software, virtual private networks (VPNs) and user
authentication, PDA security is often neglected.
Few people use a personal identification number to secure their
mobile phone, and when this becomes a smartphone, with access to
data, there is no accompanying change in their approach to
security.
Even cellphones have an inherent value with their contact
database. "Phones may be regarded as relatively separate to the
business, but it is not a big step to synchronise them with Outlook
e-mail systems," says Bamforth.
Users may not treat PDAs or smartphones with the reverence they
are due, but they do at least have the advantage of being more
permanently connected than laptops, and this makes remedial action
easier.
If a device is reported lost or falls into the wrong hands, it
is relatively easy to issue a "kill pill" that wipes all data from
the device. Plus, the more frequently a device is synchronised with
a central server, the more regularly it will have anti-virus
updates and patches pushed to it.
Nigel Fletcher, mobile segment manager at Gas supplier BG Group,
is accustomed to supporting laptops but says there has been a
learning curve associated with deploying Blackberry handheld
devices to its global workforce.
"They are all password protected. They go into lock mode within
15 seconds if this is not supplied," he says. The ultimate
safeguard is the remote wipe, which the company has not had to
execute to date, and the latest version of the Blackberry comes
with an increased range of security policies.
Because the Blackberries are business-critical, BG Group exerts
strong control over their use. For example, applications cannot be
loaded locally and direct internet access is disabled in order to
protect against malware locally or on the network.
BG Group's Blackberry users access the internet by connecting
back to the company proxy server via a VPN, and then out through
the company firewall to the internet.
Although it is safe to assume that the pattern of virus attacks
against desktop and laptop devices will eventually spread to PDAs,
there has been little activity to date. In recent months less than
0.01% of support calls have been related to mobile viruses, reports
mobile data support specialist WDSGlobal.
"Alarm bells should not be ringing at this point. But as
operating systems become more complex and the era of the fully
converged device beckons, it is inevitable that the smartphone will
be the next popular target for virus writers worldwide," says Doug
Overton, head of communications at WDSGlobal.
Mobile network operator Orange confirms this assessment of risk.
"We are not that worried yet about viruses. When they do hit, we
will be able to control them through over-the-air management and
push software patches down to devices," says Clive Richardson,
director at Orange Business Solutions.
PDAs are currently too fragmented an area, comprising multiple
operating systems, to appeal to virus writers. And the early models
have too little memory to even run a virus program. "No one would
bother writing a virus for the Nokia 400 series," says
Richardson.
But when the market consolidates and the virus threat
materialises, IT directors can at least draw comfort from the
lessons they have learned protecting desktop devices.
"The IT community has become reasonably good at developing a
patching strategy. Many also use third parties for e-mails and
messaging and thus the border perimeter is relatively secure," says
Ben Booth, chairman of IT directors group Elite .
But there is an emphasis on mobile computing among his peers,
Booth says. "People are out and about at home and in the field, and
this brings other concerns to bear." The first of these is the
leakage of wireless networks into public spaces. Anyone with a
wireless configured device will know how common an occurrence this
is and yet there are straightforward actions to prevent this.
James Walker, solutions manager at networks supplier Telindus,
says, "Because it is so easy to set up, anyone can do it and they
are not necessarily thinking about what the bandwidth is being used
for or who can access it."
The second worry is keeping track of who has which device. Asset
management is by nature a lot harder with mobile kit because it
does not stay in one location. As usual, the whereabouts of the
hardware device is less significant than the software that resides
on it.
There is a big problem with alien software says Graham
Titterington, principal analyst at Ovum. A PDA is halfway to being
an entertainment device and users are busy acquiring their own
applications. "An IT manager needs good device configuration that
keeps track of everything, including software versions, to reduce
vulnerability to future viruses," he says.
Booth agrees that infection through malware is the gravest
threat posed by any kind of unsecured mobile device. Market
research company Mori, where Booth is chief information officer,
has circumvented the malware threat by web-enabling all
applications for remote access.
"Web access is inherently more secure because you link in
through the application, rather than connecting directly to a
network server or database," he says.
As Booth points out, suppliers have web-enabled most of their
applications and so this is a pragmatic solution.
However, for companies that delegate roaming access rights to
employees, keeping staff on board with policies is a major
challenge for mobile security strategy. Maintaining the appropriate
level of vigilance is more important than employing the latest
version of a technology.
"Treat wireless or remote access through the air in the same way
as you would when you connect to the corporate network from your
home office and you will not go far wrong," says Walker.
A mobile workforce is more fragmented and independent than
office-based staff, so it is vital to make support simple and
seamless, otherwise employees will tend to do their own thing.
"Ideally there should be one point of contact for all devices
because the last thing users want is to have to call one number for
telephones, another for PDAs and one more for laptops," says
Bamforth.
Amnesties are another good way of bringing errant devices - and
users - into the fold. "Whether it is instant messaging, PDAs or
another device that is not officially endorsed, there are users out
there connecting who feel they cannot mention it," says
Bamforth.
Orange has learned from experience the importance of drilling
its staff in security matters. "You have to be very repetitive
about telling people what to do. It becomes annoying for people to
have passwords and so they disable them. You just have to keep
checking," says Richardson.
Case study: handhelds help manage Soho property
empire
Property investment company Shaftesbury is famous for owning and
managing most of Soho in London. The estate is run by a highly
mobile and dispersed team of managing agents, lawyers, surveyors
and architects, who need to be in close contact as time-sensitive
deals go through.
Originally the firm equipped its staff with both mobiles and
PDAs but this was too cumbersome. Reconfiguring access to central
systems each time a device was issued or replaced was particularly
irksome, says Gareth Field, Shaftesbury group accountant and IT
manager.
Field decided to deploy a thin client system from OpenHand
across Palm Treo 650 PDAs and he has found the thin client mobile
e-mail to be more secure and easier to administer.
"Our surveyors have a habit of losing their mobile phones. With
OpenHand we do not have to worry about data being lost," says
Field.
The company's surveyors rarely take the time to read manuals but
now, if a new phone is issued, the configuration is pushed to it.
Shaftesbury workers get real-time wireless access to e-mail,
calendar, contacts, tasks and local folders, over any wireless
mobile protocol.
Data is subject to 256-bit encryption and passwords are changed
automatically once a month. Shaftesbury's four directors are given
access through a VPN to the company database from laptops or home
computers.
"We have never had to put strong policies in place because our
staff are all decision makers and take a mature approach to e-mail
and internet use," says Field.