Although historically little interest has been shown in security
threats to mobile devices compared with that posed to PCs, the
tables have recently started to turn. The
Centre for the Protection of
Critical National Infrastructure (CPNI) has stated that it is
very concerned about the possibility that organisations critical to
the UK's infrastructure could be attacked via mobile devices. The
extent of the threat to national infrastructure is disputed;
however, spam, malware and viruses have been a thorn in the side of
mobile operators for years.
To give a snapshot of the problem, a typical mobile operator has to
deal with between 60,000 and 100,000 malware attacks per day, with
some users’ phones issuing upwards of 100 to 150 messages per day
for the
Commwarrior virus. The Besolo variant can achieve daily peak
rates of up to 230 per day. The problem is also likely to become
more widespread, with the Yankee Group indicating that the number
of enterprise mobile data users will increase to nearly 270 million
by 2010, representing a 19.8% compound annual growth rate.
Looking at these numbers, it comes as no surprise that industry
experts, including the Jericho Forum, have started to pay attention
to the problem. At the Infosecurity show in London this year,
participants were calling for common mobile security standards and
were urging mobile device manufacturers to start building security
into handsets at production stage.
Although this is a great start, and security on the handset is
important, we have to bear in mind there are more than two billion
handsets already in use, it will take between five and 10 years
before this population of handsets is replaced. Therefore, security
on the handset cannot eradicate the problem. Viruses come in many
different disguises, and the threat landscape is constantly
evolving. By the time a handset reaches the market, its security
package will already be out of date and will require time-consuming
updates by the user. Just imagine Patch Tuesday on mobiles! Users
expect a lot from their operator, and security is definitely one of
those things. According to McAfee, almost 60% of customers expect
their mobile operators to take primary responsibility for
protecting their devices.
Thus, as with PC security, a more effective way of ensuring
protection is by securing the network, in this case the mobile
operator’s network. This way, not only known viruses, but also
anomalies within the network can be detected, isolated and
disinfected, enabling network immunisation.
A network-centric approach is particularly important for the modern
enterprise, as more and more business is conducted "on the move".
Smartphones can now hold large amounts of business data, which, if
not secured, can be lost or stolen. Having security on the network
also means that employee-specific policies can be set. For example,
employee A is not allowed to download XYZ, while employee B is
prohibited from accessing the mobile internet – a similar approach
to the one some organisations are already using for their PC
infrastructure.
It is good to see that analysts, suppliers, the government and
operators alike are starting to publicly acknowledge that action to
standardise mobile security is needed, and needed fast. Whilst it
will no doubt take some time to agree and set common standards, the
technology is available today that can effectively protect a mobile
operator’s subscribers through their network, so there’s no excuse
to not take the initiative in offering better protection to their
customers and ultimately their bottom line.