As new and improved technologies appear in the mobile
markets, and are adopted by businesses, so new threats and attacks
appear, writesGartnervice president and
distinguished analyst John Girard. Through the technology they
use, customers play a major role in opening your business up to
these new attacks.
Real-life attacks are increasing in the form of identity theft
and loss of customer data. Recovering from such attacks imposes a
high cost on businesses. One incident can wipe out all of an
organisation's cost savings and mobile productivity gains.
While your organisation needs to be open to the consumer-grade
technologies used by employees and customers,
such openness can be difficult to secure and manage, and
hackers are well aware of this. They abuse the weaknesses of new
mobile technologies and, even more easily, the behaviour of
end-users who still don't understand that their mobile devices have
become as vulnerable as PCs. Organisations should bring employee
devices under company management, or restrict interactions to
controllable portals with limited access, such as SSL browser
sessions.
Mobile data encryption
If employees do their jobs partly by smartphone, PDA, desktop,
laptop, kiosks - and from wireless hot spots - then, entirely
unintentionally, sensitive customer information can leak, the
mobile devices are lost or stolen, or data is left on removable
media such as USB dongles. The best approach here is to make sure
that all mobile data is encrypted on a device and requires an
authentication challenge for access.
The amount of critical business data being accessed and stored on
smartphones and PDAs is ballooning. There is sufficient
exposure now to encourage hackers to design identity theft,
phishing and other attacks that take advantage of a mobile user's
reduced caution and other factors including location knowledge. GPS
data, for example, will allow hackers to personalise attacks so
they look as if they are from places and people that your employees
will trust. Warn your staff to be cautious. Help them to understand
that they face the next generation of attacks they have already
seen on PCs.
Wi-Fi weakness
Wi-Fi on phones are typically not properly protected. Wi-Fi is
fast, has a long range and can expose the entire device if not
properly firewalled at public access points and configured with
WPA2 when accessing the company Lans. Do not allow Wi-Fi on mobile
devices
unless you can secure it. In addition, make Bluetooth device
names unique and undiscoverable so that Bluetooth Billboards can't
easily find them.
Enhanced smartphones/PDAs capable of running complex programs
and sharing executables are becoming commonplace. This raises the
possibility of mobile malicious code being transmitted across
larger bases of exploitable platforms. The number of smartphone/PDA
operating systems is decreasing and utilities such as browsers and
Java are becoming interoperable. This increases the reach of
malicious code across mobile devices. Make sure your browser
security settings prevent unauthorised installations. Implement
code signing so that only company-approved applications can
run.
Build it in
Strong security will require smartphones and PDAs to evolve
defence features similar to those on PCs, but built in from the
start rather than requiring costly third-party accessories. Demand
that your suppliers provide those defences from the beginning. When
putting out tenders for mobile devices and applications, ask the
suppliers what defence and prevention features are built-in. When
you shop for wireless services, ask the vendors what filtering of
malicious software and what security features are baked into those
wireless data services you are paying for.
John Girard is aGartnervice president and distinguished
analyst
Top 10 security threats >>
Read more expert advice from the Computer Weekly Security Think
Tank >>