Smartphone security is becoming more top of mind as mobile device adoption increases. According to analyst firm Gartner Inc., worldwide smartphonesales grew 72% in 2010. In Western Europe and North America, which accounted for 52.3% of smartphone sales in the fourth quarter alone, smartphones are redefining everyday life: how we communicate, how and when we work, and how we conduct our banking and shopping. As such, they are also introducing security risks. With this backdrop, the European Network and Information Security Agency (ENISA) published Smartphones: Information security risks, opportunities and recommendations for users. SearchNetworking.co.UK conducted an email interview with one of the report’s authors, Marnix Dekker, to learn more about the risks smartphones pose to UK businesses.
The report analyzes 10 smartphone security risks for end users. Of those 10, which is the most dangerous mobile security risk for businesses?
Dekker: For businesses, theft or loss of the smartphone is the biggest risk, according to the experts who contributed to the paper. Theft and loss can lead to data leakage when the smartphone is not locked or the smartphone memory not sufficiently protected.
What advice do you give businesses for addressing this risk?
Dekker: In the smartphone security report, we give risk-based recommendations for IT officers in businesses that can be plugged into a typical security policy.
For this particular risk, it is important first of all to have mobile policy rules covering smartphone encryption (data-at-rest encryption) and access control to the smartphone (PIN-lock). This, by the way, applies equally to traditional mobile devices, such as laptops, USB sticks, etc.
Secondly, classified data should not be stored on smartphones, and in general it is a good idea to limit the amount of confidential corporate data on the smartphone, whenever possible. Designing apps to be Web-based can be a way to do this.
Thirdly, if important data is stored on smartphones, IT officers in business should have rules that require there are backups of this data. Note that by addressing this risk another top risk is also mitigated: The risk of improper decommissioning.
The report rates the likelihood, impact and risk of each threat as it pertains to each usage scenario. It looks like the threats that have a low rating for the consumer have a high rating for the employee and vice versa. That being the case, it stands to reason that the introduction of consumer-owned smartphones to the corporate environment is the most significant threat of them all. Would you agree?
Dekker: That is an interesting argument. An increasing number of businesses allow consumer-owned smartphones to be used for business purposes. A smartphone is a very personal device, and it is impractical for employees to use two separate smartphones. We do not see this as a threat, but rather a development.
In the report we have not addressed this development, leaving it instead for future work. In this report we simply assume that the IT officer can enforce compliance to the policy rules, without going into details about how IT officers can enforce policies on consumer-owned phones.
How should IT staffs address the use of personally owned smartphones for business?
Dekker: There seem to be compelling business reasons for allowing this usage, but the associated risks require special care. As said, in the coming months we expect to look into this aspect separately.
The report offers recommendations for both consumers and businesses. How much responsibility should businesses assume for educating and even securing their employees’ personally owned smartphones?
Dekker: That is a very good question. The IT officer has a good position to advise and support employees in securing their smartphones, and it should be the IT officer’s responsibility to offer advice and -- where possible -- tools to employees for securing their personally owned smartphones.
The report details a number of smartphone capabilities or qualities that can improve security. Which of those should a business use as criteria for determining which smartphones it will allow on the network?
Dekker: Although we did not make a full market survey or a product comparison, we did find that smartphone vendors address risks in different ways: One smartphone may encrypt the memory for example, to mitigate theft, while another uses remote-location and remote-wipe for this. Such design choices make a big difference. So a good start is to base the criteria on how the smartphones are (or can be) protected from the top risks. It goes without saying that besides security other criteria play an important role, as well. For example, most businesses have chosen their desktop computers based on criteria such as costs and interoperability, not security.
The fact that smartphone vendors take very different approaches to security is confusing for consumers and complicates the work of IT officers. We look forward to seeing more standardization across smartphone vendors when addressing security and we will try to support, where possible, the development of industry standards for security of smartphones and smartphone apps.
--Crystal Bedell is an award-winning writer and editor specializing in technology. She can be reached at [email protected]