To give a snapshot of the problem, a typical mobile operator has to deal with between 60,000 and 100,000 malware attacks per day, with some users’ phones issuing upwards of 100 to 150 messages per day for the Commwarrior virus. The Besolo variant can achieve daily peak rates of up to 230 per day. The problem is also likely to become more widespread, with the Yankee Group indicating that the number of enterprise mobile data users will increase to nearly 270 million by 2010, representing a 19.8% compound annual growth rate.
Looking at these numbers, it comes as no surprise that industry experts, including the Jericho Forum, have started to pay attention to the problem. At the Infosecurity show in London this year, participants were calling for common mobile security standards and were urging mobile device manufacturers to start building security into handsets at production stage.
Although this is a great start, and security on the handset is important, we have to bear in mind there are more than two billion handsets already in use, it will take between five and 10 years before this population of handsets is replaced. Therefore, security on the handset cannot eradicate the problem. Viruses come in many different disguises, and the threat landscape is constantly evolving. By the time a handset reaches the market, its security package will already be out of date and will require time-consuming updates by the user. Just imagine Patch Tuesday on mobiles! Users expect a lot from their operator, and security is definitely one of those things. According to McAfee, almost 60% of customers expect their mobile operators to take primary responsibility for protecting their devices.
Thus, as with PC security, a more effective way of ensuring protection is by securing the network, in this case the mobile operator’s network. This way, not only known viruses, but also anomalies within the network can be detected, isolated and disinfected, enabling network immunisation.
A network-centric approach is particularly important for the modern enterprise, as more and more business is conducted "on the move". Smartphones can now hold large amounts of business data, which, if not secured, can be lost or stolen. Having security on the network also means that employee-specific policies can be set. For example, employee A is not allowed to download XYZ, while employee B is prohibited from accessing the mobile internet – a similar approach to the one some organisations are already using for their PC infrastructure.
It is good to see that analysts, suppliers, the government and operators alike are starting to publicly acknowledge that action to standardise mobile security is needed, and needed fast. Whilst it will no doubt take some time to agree and set common standards, the technology is available today that can effectively protect a mobile operator’s subscribers through their network, so there’s no excuse to not take the initiative in offering better protection to their customers and ultimately their bottom line.
This was first published in May 2008