As new and improved technologies appear in the mobile markets, and are adopted by businesses, so new threats and attacks appear, writes Gartner vice president and distinguished analyst John Girard. Through the technology they use, customers play a major role in opening your business up to these new attacks.
Real-life attacks are increasing in the form of identity theft and loss of customer data. Recovering from such attacks imposes a high cost on businesses. One incident can wipe out all of an organisation's cost savings and mobile productivity gains.
While your organisation needs to be open to the consumer-grade technologies used by employees and customers, such openness can be difficult to secure and manage, and hackers are well aware of this. They abuse the weaknesses of new mobile technologies and, even more easily, the behaviour of end-users who still don't understand that their mobile devices have become as vulnerable as PCs. Organisations should bring employee devices under company management, or restrict interactions to controllable portals with limited access, such as SSL browser sessions.
Mobile data encryption
If employees do their jobs partly by smartphone, PDA, desktop, laptop, kiosks - and from wireless hot spots - then, entirely unintentionally, sensitive customer information can leak, the mobile devices are lost or stolen, or data is left on removable media such as USB dongles. The best approach here is to make sure that all mobile data is encrypted on a device and requires an authentication challenge for access.
The amount of critical business data being accessed and stored on smartphones and PDAs is ballooning. There is sufficient exposure now to encourage hackers to design identity theft, phishing and other attacks that take advantage of a mobile user's reduced caution and other factors including location knowledge. GPS data, for example, will allow hackers to personalise attacks so they look as if they are from places and people that your employees will trust. Warn your staff to be cautious. Help them to understand that they face the next generation of attacks they have already seen on PCs.
Wi-Fi on phones are typically not properly protected. Wi-Fi is fast, has a long range and can expose the entire device if not properly firewalled at public access points and configured with WPA2 when accessing the company Lans. Do not allow Wi-Fi on mobile devices unless you can secure it. In addition, make Bluetooth device names unique and undiscoverable so that Bluetooth Billboards can't easily find them.
Enhanced smartphones/PDAs capable of running complex programs and sharing executables are becoming commonplace. This raises the possibility of mobile malicious code being transmitted across larger bases of exploitable platforms. The number of smartphone/PDA operating systems is decreasing and utilities such as browsers and Java are becoming interoperable. This increases the reach of malicious code across mobile devices. Make sure your browser security settings prevent unauthorised installations. Implement code signing so that only company-approved applications can run.
Build it in
Strong security will require smartphones and PDAs to evolve defence features similar to those on PCs, but built in from the start rather than requiring costly third-party accessories. Demand that your suppliers provide those defences from the beginning. When putting out tenders for mobile devices and applications, ask the suppliers what defence and prevention features are built-in. When you shop for wireless services, ask the vendors what filtering of malicious software and what security features are baked into those wireless data services you are paying for.
John Girard is a Gartner vice president and distinguished analyst
This was first published in May 2008