The mobile security conundrum

THE RANGE and variety of IT security defences for portable computers is excellent, and able to cater for all budgets and types of user; however, the same cannot be said for smartphones and tablet computers.

With 45 million iPads already sold, and the prospect of Android tablets and BlackBerry tablets also selling in their millions, companies of all sizes have a security problem on their hands. And this is before we even begin to talk about securing the rising numbers of smartphones in the business workplace.

With most business users toting one or more mobile device with a variety of email, documents and contact details in their memories, smartphones and tablet computers should be afforded the same levels of security and protection as the laptops and netbooks in circulation.

Already the line between portable computers and mobile devices such as smartphones and tablets is becoming blurred. Toshiba already has an Android-based netbook released, and several vendors – notably Acer and Lenovo – have laptops running Windows and Android coming down the technology turnpike this summer.

The pressing question facing the hard-pressed IT security manager is how to get the mobile security focus back on track, in the face of a paucity of tablet and smartphone-specific security offerings, and a general apathy amongst corporate users?

A major report published recently from the CNCCS, Spain’s national cybersecurity advisory council, found a general lack of security awareness amongst mobile users and their general carelessness are the two main risk factors for smartphones in business. Unlike the previous generations of mobiles, which are – at worst – susceptible to local Bluetooth hijacking, today’s smartphones are subject to the same risks as PCs.

Against this backdrop, the research recommends that users take all necessary precautions when opening email messages, SMS attachments or clicking links – the latter of which is an entry point for the latest Zeus attacks. Users should also be wary of any files, links or numbers received from unsolicited email or SMS messages, and avoid using untrusted WiFi networks.

Most notable of all is the recommendation that firms should take smartphones into account when establishing their corporate security policies.

The CNCCS report confirms many of the findings of Origin Storage’s survey of IT security professionals at April’s Infosecurity Europe show, in which 41% of IT professionals admitted to carrying sensitive information on their smartphones.

Meanwhile, one in five respondents revealed that their employer had suffered a breach as a result of a portable device going missing, and more than half revealed that the portable device was not encrypted. And yet 70% of organisations had made data encryption mandatory in their businesses, suggesting that many users of portable devices are breaking their own firm’s security policy rules in their day-to-day business.

This apathy perhaps also explains the fact that 37% of respondents admitted that between four fifths and all of the sensitive data stored on their portable devices was unprotected.

This proves the case that we are not just dealing with a few files copied to a portable device in a hurry – perhaps by an employee who is late for an off-site meeting. This is a failing in corporate security policies and their implementation.

So what is the solution to the general apathy surrounding the use of portable devices, and especially internet-connected devices such as tablet computers and smartphones?

User education, while desirable, plainly isn’t working, as most corporate users of technology are probably aware of the security risks posed by their laptop computer.

Unfortunately for corporate portable device users everywhere, most smartphones are sold to companies through cellcos or their dealers. And, as any mobile user will attest, security is rarely on agenda of the dealers and cellular networks that are busy promoting and selling their handsets plus mobile phone contracts. It’s a non-starter.

The reality is that it will probably take a series of major corporate blunders involving sensitive data lost as the result of a lapse of security in a tablet computer or smartphone, and for the affected company’s reputation and share price to take a consequential battering.

There is nothing like a share price dip of eight to 10% to focus the attentions of a CEO and CFO, and so pressure the IT manager into deploying sound security solutions and practices to stop an incident from ever happening again.

The irony of this situation will not go unnoticed amongst those IT professionals reading these words and whose experience dates back to the 1990s when desktop and laptop security was in a similar evolutionary stage as mobile security is today, some two decades later.

Regulatory influences such as the Data Protection Act (DPA) and the PCI DSS rules applying to any business that stores personally identifying information card transactions are all well and good, but the fact that the Information Commissioner’s Office has only rarely prosecuted an organisation for a breach of the DPA, means that the stick approach obviously isn’t working.

With the arrival of more and more advanced tablet computers and smartphones, it is clear that on-device encryption has to be the way forward, supplemented by corporate policies that prohibit the use of mobile devices without encryption, and treating a breach of the rules as a disciplinary offence. Only then will it be possible to change the habits of UK plc.

Andy Cordial is managing director of Origin Storage

Related reading