Smartphone risk: Does your corporate smartphone policy stack up?

Many organisations that allow smartphones to access their networks are woefully under-aware of many of the risks.

IT in Europe Information Security magazine spring 2011 issueThis article originally appeared in the spring 2011 issue of IT in Europe, Information Security magazine. See the full magazine for more feature articles about compliance regulations and standards.

Smartphones are rarely given the same level of risk assessment and protection as laptops, even though they introduce similar threats to business networks.

An incident involving a lost or stolen smartphone can escalate into a serious security event, potentially involving unauthorised access to data, voicemails and the network, unauthorized calls and inappropriate use of the Internet. An additional risk is the threat of eavesdropping; researchers recently demonstrated how mobile calls and texts made on any GSM network can be eavesdropped upon using four cheap phones and open source software.

Smartphones need to be locked down -- many insecure features are enabled by default -- in much the same way as laptops, and laptop security policies can be used as a baseline for a corporate smartphone policy.

Businesses, however, must reassess each control from the viewpoint of an attacker in order to develop more effective rules and safeguards to limit the risks smartphones pose. For example, take passwords and idle timeout rules. An excessively long timeout setting could allow an attacker to access data or install spyware, while too short a period requires repeated re-entry of the password, making it easier for an observer to record it.

Strong alphanumeric passwords can be problematic on certain smartphones without a QWERTY keyboard, which highlights the need to assess a phone's security features to ensure it can adhere to your policies. Ease of integration of its email, contact and calendar applications with existing technologies such as Active Directory is also an important consideration.

Encryption is another area to focus on. Full device-level encryption can hamper performance and battery life, but it means all data is effectively unreadable, even if a device finds its way into the wrong hands. It's also less complex than file- or folder-level encryption with regard to data classifications and user interaction. In short, full encryption has become a must-have for any user with high-level access to ensure compliance with polices and regulations.

Depending on your use case, you may need to consider third-party encryption products that can protect the phone as well as its removable SD cards. This may be necessary in meeting certain data and regulatory requirements.

While security technologies like encryption can go a long way toward mitigating risk, good policy planning and enforcement can do even more. For instance, phones should never be allowed to store personal information about customers or intellectual property.

Access to the corporate network using a smartphone should not only be based on the user's role in the business, but also on his or her location and the connection used, such as from inside or outside the corporate network, or through a VPN. For example, a connection via an unsecured Wi-Fi network that is not going through the corporate VPN should be blocked.

Extending network access control (NAC) technology can provide the necessary checks to establish a phone’s access rights based on its patch and antivirus status and application configurations.

VPN access should also be restricted to specific business tasks, as an 'access all areas' approach is not necessary and is too risky. Extending network access control (NAC) technology can provide the necessary checks to establish a phone's access rights based on its patch and antivirus status and application configurations.

Other policies, such as backups, need to be extended to smartphones, but care should be taken that this safety net doesn't reduce users' sense of duty just because their data is backed up somewhere else. Users need to appreciate that losing a phone is not just an inconvenience to them, but potentially a data breach. There has to be a strong focus on avoiding loss or theft: An average of 10,000 mobile phones are left in the back of London taxis every month, compared to 1,000 laptops. A few minutes of physical access to a phone is all that's needed to download and install off-the-shelf spyware.

To reduce theft or misuse, smartphone risk training for end users has to emphasize information asset ownership and physical security awareness. Employees who understand that they must take responsibility for an organisation’s information assets dramatically improve the strength of its security. Stronger disciplinary measures -- including suspension or even termination in the event of a serious breach of policy -- may need to be introduced to focus people's attention on safeguarding their phones.

Smartphones need to be seen as an extension of the network with standard security maintenance. This involves patch management with administrators following relevant mailing lists to keep on top of firmware and OS updates. User groups and forums are also useful for tackling end-user issues and vulnerabilities. Servers devoted to smartphone applications need to be hardened, with careful attention paid to authentication and authorisation controls.

Enterprise-level smartphone security hasn't, in the past, been a focus of vendors, but this is changing. Centralized management and directory services that provide device monitoring and audit trails, and that push phone and policy settings are improving, and there's a growing range of products from vendors such as Symantec Corp., McAfee Inc. and Trend Micro Inc. that support enterprise-wide password management, application lock down, data port disablement and the ability to remote kill a lost device.

However, features such as locking down cameras or disabling SD card slots are still mainly works in progress, and many mobile applications are poorly written from a security standpoint. Antivirus and antispam applications aren't as mature as their desktop equivalents. Thus, it's essential that the risks from these shortcomings be assessed, as the only remedy is appropriate usage by each user.

Smartphones do open holes in standard network defenses, so risk management is essential to allow the benefits they bring, while avoiding breaches in security. The Stuxnet worm highlights how IT infrastructures need to adapt their security to meet new threats, so managing smartphone risk should be a top priority for IT departments everywhere.

Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions.

Read more on IT risk management