What are your plans for securing smartphones and tablet computers?
PCs have been the chosen target for a long time, and they are fairly well protected. But there is little in the way of security tools for smartphone devices.
Vice President of Technical StrategyM86 Security Inc.
If industry experts are right, and smartphones become a major target of cybercriminals next year, the majority of companies will be poorly prepared to protect themselves.
One new study by research company Goode Intelligence Ltd. asked senior security and IT managers about their approach to mobile and smartphone security policy (.pdf) and procedures, and found that two-thirds allowed their users to store company information on unencrypted mobile devices. In addition, only 56% of respondents said they had a documented security policy that covered mobile devices, and 68% said user awareness of mobile security was inadequate.
The research also discovered that, although the BlackBerry is still the dominant mobile device for business, 40% of organisations had already adopted the Apple iPad for business use, despite a number of known iPad security issues.
These findings are corroborated by a separate mobile device security study carried out by research company Ovum Ltd. and the trade body EEMA. The study found that 90% of organisations provide their employees with mobile devices (not including laptop PCs), and 70% allow employees to use the corporate devices for personal applications, which include personal email, instant messaging, Skype and social networking sites. Only 40% said they block access to corporate systems from personally owned mobiles.
Respondents in the Ovum study expressed concern over mobile security, primarily because of potential data leakage and the higher level of exposure to attack from outsiders. Only 9% said they had already knowingly suffered a breach following misuse of a mobile device, however.
Graham Titterington, principal analyst at Ovum and head of the research study, described security efforts for mobile devices as "patchy," with security focusing either on user authentication or on remote disabling of a lost device.
However, although the security industry has been forecasting the rise of mobile malware for several years, very little has so far occurred. The BlackBerry operates in what most organisations regard as a secure ecosystem, and Apple keeps close controls over the apps that it allows onto its AppStore. Some worms have been developed for the iPhone, but they have generally attacked jailbroken devices.
The more open Android platform seems to offer hackers greater opportunity to plant malware. In August 2010, Security researchers at Kaspersky Lab announced the first malware for the Android operating system. Classified as a Trojan-SMS, the malware hides a piece of code that secretly sends text messages to premium rate numbers owned by crooks.
However, some experts are predicting that 2011 could (unlike previous similar predictions) really be the year of the mobile malware threat.
"PCs have been the chosen target for a long time, and they are fairly well protected. But there is little in the way of security tools for smartphone devices," said Bradley Anstis, vice president of technical strategy for Orange, Calif.-based M86 Security Inc. "So that makes them a very attractive target."
He said that hackers are now writing malware to attack mobile platforms. For instance, in 2010 the Zeus Trojan targeted a two-factor authentication component on phones running the Symbian operating system. The attack was designed to capture the one-time password sent via SMS messaging for a banking application, and was intended to work in collaboration with an attack taking place on a PC platform.
His advice to companies is to ensure there are clearly defined policies and security controls in place for usage of mobile devices on the corporate network.
[Smartphone monitoring] technology is still quite fragmented. ... It will be another year before we see fully featured products that can manage a range of devices as part of overall policy.
Analyst and DirectorQuocirca Ltd.
Technology for smartphone security?
The big challenge for most companies wanting to manage usage of wireless devices is that the devices often fulfil a dual role, for both work and personal usage. The danger is that valuable corporate data could leak into the user's personal applications --such as social networking -- or be lost if a device is stolen or misplaced.
Developing a consistent policy and enforcing it among employees, so they know what they should or should not do on their mobile devices, is an essential first step for companies, according to Bob Tarzey, analyst and director at research company Quocirca Ltd.
To back up policy, he advocates use of monitoring technology to help users make the right decisions. "You should be able to send a message if someone is going to, for example, email a confidential document, just to check they know what they are doing," he said.
But he warned that most vendors do not yet have a full set of technology tools in place that integrate well across all platforms. "The technology is still quite fragmented, and I think it will be another year before we see fully featured products that can manage a range of mobile devices as part of overall policy," he said.
EU offers guidance
The European Network and Information Security Agency (ENISA) has issued a new document on smartphone security outlining the security risks associated with smartphone usage, and also suggesting recommendations that consumers and businesses should follow to improve security. The document makes the point that the new generation of wireless devices presents even greater threats than traditional PC laptops. "Smartphones contain multiple sensors, such as a microphone, camera, accelerometer and GPS," the document says. "This, combined with the possibility of installing third-party software and the fact that a smartphone is closely associated with an individual, makes it a useful spying tool."
For corporate users, the document recommends that companies focus on smartphone memory encryption, whitelisting of applications and secure decommissioning of devices when they are no longer needed.