Hidden dangers: Careless mobile use could jeopardise company data

Viruses are yet to become a major threat to mobile devices, but careless users and poor configuration could jeopardise company data. Helen Beckett reports

Viruses are yet to become a major threat to mobile devices, but careless users and poor configuration could jeopardise company data. Helen Beckett reports

Mobile computing is changing the way businesses are organised and workers communicate. But it is a low key revolution: the infrastructure that enables it - wireless networks and miniature computing devices - is largely hidden from view.

There are hidden dangers in this quiet revolution. Because mobile computers are small they are often treated carelessly by their users. And because wireless networks are easy to implement, anyone, however ill qualified, can have a go. The net result is frequent instances of unsecured mobile computing. 

By 2008, 75% of the sales and services workforce worldwide will be mobile, according to analyst firm Gartner. IDC analysts are even more upbeat, forecasting that 66% of the workforce will be mobile by 2006, by which time there will be 100 million mobile workers in Western Europe.

Nonetheless, a study by Quocirca found an alarming lack of respect for mobile devices by their users. "The smaller the device, the less reverence users have," says Rob Bamforth, principal analyst at the research firm.

Carelessness by end-users was widely reported by respondents, one of whom suggested mobiles and personal digital assistants should be attached to users with string, like children's mittens, for safekeeping.

Bamforth says the level of respect for any device should be determined by its functionality, not its size. "There is a consumer electronics, 'disposable' feel about a PDA. But the value is not in the hardware, it is in the intellectual property" he says.

According to the Mobile Industry Crime Action Forum, more than 700,000 phones were lost or stolen last year, it . It is all too easy to lose or leave a device in the back of a taxi and, because handhelds are perceived as more personal devices, security is often left in the hands of users.

Although laptops have been pretty much locked down through anti-virus software, virtual private networks (VPNs) and user authentication, PDA security is often neglected.

Few people use a personal identification number to secure their mobile phone, and when this becomes a smartphone, with access to data, there is no accompanying change in their approach to security. 

Even cellphones have an inherent value with their contact database. "Phones may be regarded as relatively separate to the business, but it is not a big step to synchronise them with Outlook e-mail systems," says Bamforth.

Users may not treat PDAs or smartphones with the reverence they are due, but they do at least have the advantage of being more permanently connected than laptops, and this makes remedial action easier.

If a device is reported lost or falls into the wrong hands, it is relatively easy to issue a "kill pill" that wipes all data from the device. Plus, the more frequently a device is synchronised with a central server, the more regularly it will have anti-virus updates and patches pushed to it.

Nigel Fletcher, mobile segment manager at Gas supplier BG Group, is accustomed to supporting laptops but says there has been a learning curve associated with deploying Blackberry handheld devices to its global workforce.

"They are all password protected. They go into lock mode within 15 seconds if this is not supplied," he says. The ultimate safeguard is the remote wipe, which the company has not had to execute to date, and the latest version of the Blackberry comes with an increased range of security policies.

Because the Blackberries are business-critical, BG Group exerts strong control over their use. For example, applications cannot be loaded locally and direct internet access is disabled in order to protect against malware locally or on the network.

BG Group's Blackberry users access the internet by connecting back to the company proxy server via a VPN, and then out through the company firewall to the internet.

Although it is safe to assume that the pattern of virus attacks against desktop and laptop devices will eventually spread to PDAs, there has been little activity to date. In recent months less than 0.01% of support calls have been related to mobile viruses, reports mobile data support specialist WDSGlobal.

"Alarm bells should not be ringing at this point. But as operating systems become more complex and the era of the fully converged device beckons, it is inevitable that the smartphone will be the next popular target for virus writers worldwide," says Doug Overton, head of communications at WDSGlobal.

Mobile network operator Orange confirms this assessment of risk. "We are not that worried yet about viruses. When they do hit, we will be able to control them through over-the-air management and push software patches down to devices," says Clive Richardson, director at Orange Business Solutions.  

PDAs are currently too fragmented an area, comprising multiple operating systems, to appeal to virus writers. And the early models have too little memory to even run a virus program. "No one would bother writing a virus for the Nokia 400 series," says Richardson.

But when the market consolidates and the virus threat materialises, IT directors can at least draw comfort from the lessons they have learned protecting desktop devices.

"The IT community has become reasonably good at developing a patching strategy. Many also use third parties for e-mails and messaging and thus the border perimeter is relatively secure," says Ben Booth, chairman of IT directors group Elite .

But there is an emphasis on mobile computing among his peers, Booth says. "People are out and about at home and in the field, and this brings other concerns to bear." The first of these is the leakage of wireless networks into public spaces. Anyone with a wireless configured device will know how common an occurrence this is and yet there are straightforward actions to prevent this.

James Walker, solutions manager at networks supplier Telindus, says, "Because it is so easy to set up, anyone can do it and they are not necessarily thinking about what the bandwidth is being used for or who can access it." 

The second worry is keeping track of who has which device. Asset management is by nature a lot harder with mobile kit because it  does not stay in one location. As usual, the whereabouts of the hardware device is less significant than the software that resides on it.

There is a big problem with alien software says Graham Titterington, principal analyst at Ovum. A PDA is halfway to being an entertainment device and users are busy acquiring their own applications. "An IT manager needs good device configuration that keeps track of everything, including software versions, to reduce vulnerability to future viruses," he says. 

Booth agrees that infection through malware is the gravest threat posed by any kind of unsecured mobile device. Market research company Mori, where Booth is chief information officer, has circumvented the malware threat by web-enabling all applications for remote access.

"Web access is inherently more secure because you link in through the application, rather than connecting directly to a network server or database," he says.

As Booth points out, suppliers have web-enabled most of their applications and so this is a pragmatic solution.

However, for companies that delegate roaming access rights to employees, keeping staff on board with policies is a major challenge for mobile security strategy. Maintaining the appropriate level of vigilance is more important than employing the latest version of a technology.

"Treat wireless or remote access through the air in the same way as you would when you connect to the corporate network from your home office and you will not go far wrong," says Walker.

A mobile workforce is more fragmented and independent than office-based staff, so it is vital to make support simple and seamless, otherwise employees will tend to do their own thing.

"Ideally there should be one point of contact for all devices because the last thing users want is to have to call one number for telephones, another for PDAs and one more for laptops," says Bamforth.

Amnesties are another good way of bringing errant devices - and users - into the fold. "Whether it is instant messaging, PDAs or another device that is not officially endorsed, there are users out there connecting who feel they cannot mention it," says Bamforth.

Orange has learned from experience the importance of drilling its staff in security matters. "You have to be very repetitive about telling people what to do. It becomes annoying for people to have passwords and so they disable them. You just have to keep checking," says Richardson.

Case study: handhelds help manage Soho property empire

Property investment company Shaftesbury is famous for owning and managing most of Soho in London. The estate is run by a highly mobile and dispersed team of managing agents, lawyers, surveyors and architects, who need to be in close contact as time-sensitive deals go through.

Originally the firm equipped its staff with both mobiles and PDAs but this was too cumbersome. Reconfiguring access to central systems each time a device was issued or replaced was particularly irksome, says Gareth Field, Shaftesbury group accountant and IT manager.

Field decided to deploy a thin client system from OpenHand across Palm Treo 650 PDAs and he has found the thin client mobile e-mail to be more secure and easier to administer.

"Our surveyors have a habit of losing their mobile phones. With OpenHand we do not have to worry about data being lost," says Field.

The company's surveyors rarely take the time to read manuals but now, if a new phone is issued, the configuration is pushed to it. Shaftesbury workers get real-time wireless access to e-mail, calendar, contacts, tasks and local folders, over any wireless mobile protocol.

Data is subject to 256-bit encryption and passwords are changed automatically once a month. Shaftesbury's four directors are given access through a VPN to the company database from laptops or home computers.

"We have never had to put strong policies in place because our staff are all decision makers and take a mature approach to e-mail and internet use," says Field.

Read more on Mobile hardware