Security forecast: mobile devices


Security forecast: mobile devices

Although historically little interest has been shown in security threats to mobile devices compared with that posed to PCs, the tables have recently started to turn. The Centre for the Protection of Critical National Infrastructure (CPNI) has stated that it is very concerned about the possibility that organisations critical to the UK's infrastructure could be attacked via mobile devices. The extent of the threat to national infrastructure is disputed; however, spam, malware and viruses have been a thorn in the side of mobile operators for years.
To give a snapshot of the problem, a typical mobile operator has to deal with between 60,000 and 100,000 malware attacks per day, with some users’ phones issuing upwards of 100 to 150 messages per day for the Commwarrior virus. The Besolo variant can achieve daily peak rates of up to 230 per day. The problem is also likely to become more widespread, with the Yankee Group indicating that the number of enterprise mobile data users will increase to nearly 270 million by 2010, representing a 19.8% compound annual growth rate.
Looking at these numbers, it comes as no surprise that industry experts, including the Jericho Forum, have started to pay attention to the problem. At the Infosecurity show in London this year, participants were calling for common mobile security standards and were urging mobile device manufacturers to start building security into handsets at production stage. 
Although this is a great start, and security on the handset is important, we have to bear in mind there are more than two billion handsets already in use, it will take between five and 10 years before this population of handsets is replaced. Therefore, security on the handset cannot eradicate the problem. Viruses come in many different disguises, and the threat landscape is constantly evolving. By the time a handset reaches the market, its security package will already be out of date and will require time-consuming updates by the user. Just imagine Patch Tuesday on mobiles! Users expect a lot from their operator, and security is definitely one of those things. According to McAfee, almost 60% of customers expect their mobile operators to take primary responsibility for protecting their devices.
Thus, as with PC security, a more effective way of ensuring protection is by securing the network, in this case the mobile operator’s network. This way, not only known viruses, but also anomalies within the network can be detected, isolated and disinfected, enabling network immunisation.
A network-centric approach is particularly important for the modern enterprise, as more and more business is conducted "on the move". Smartphones can now hold large amounts of business data, which, if not secured, can be lost or stolen. Having security on the network also means that employee-specific policies can be set. For example, employee A is not allowed to download XYZ, while employee B is prohibited from accessing the mobile internet – a similar approach to the one some organisations are already using for their PC infrastructure.
It is good to see that analysts, suppliers, the government and operators alike are starting to publicly acknowledge that action to standardise mobile security is needed, and needed fast. Whilst it will no doubt take some time to agree and set common standards, the technology is available today that can effectively protect a mobile operator’s subscribers through their network, so there’s no excuse to not take the initiative in offering better protection to their customers and ultimately their bottom line. 

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in May 2008


COMMENTS powered by Disqus  //  Commenting policy