The mobile security conundrum
Whilst the range and variety of IT security defences for portable computers – that’s netbooks and laptops to most people – is excellent, and able to cater for all budgets and types of user, it should be apparent to any security observer that the same cannot be said for smartphones and tablet computers.
With 45 million iPads already having been sold, and with the prospect of Android tablets and BlackBerry tablets also selling in their millions, it’s clear that IT security professionals working within companies of all sizes have a security problem on their hands.
And this is before we even begin to talk about securing the rising numbers of smartphones in the business workplace.
With most business users toting one or more mobile devices with a variety of email, documents and contact details in their memories, it should be clear that smartphones and tablet computers should be afforded the same levels of security and protection as the laptops and netbooks in circulation.
And the lines between portable computers and mobile devices such as smartphones and tablets are becoming blurred. Toshiba already has an Android-based netbook released, and several vendors – notably Acer and Lenovo – have laptops running Windows and Android coming down the technology turnpike this summer.
The pressing question facing the hard-pressed IT security manager is how, in the face of a paucity of tablet and smartphone-specific security offerings, and a general apathy amongst corporate users, how to get the mobile security focus back on track?
According to a just-released major report from the CNCCS – Spain’s national cybersecurity advisory council – a general lack of security awareness amongst mobile users and their general carelessness are the two main risk factors for smartphones in business.
The conclusions of the June 2011 report are that, unlike the previous generations of mobiles, which are – at worst – susceptible to local Bluetooth hijacking, today’s smartphones are subject to the same risks as PCs.
New attack vectors, says the report – which was researched by our security colleagues at Panda Security and F21Sec – will increasingly be exploited by fraudsters as online banking services use these devices as second authentication factors given the current convergence between PCs and cell phones.
Against this backdrop, the research recommends that users take all necessary precautions when opening email messages, SMS attachments or clicking links – the latter of which is an entry point for the latest Zeus attacks.
Users should also, says the report, be wary of any files, links or numbers received from unsolicited email or SMS messages, and avoid using untrusted WiFi networks.
Most notably of all, is the recommendation that firms should take smartphones into account when establishing their corporate security policies.
The just-released CNCCS report confirms many of the findings of Origin Storage’s survey of IT security professionals at April’s Infosecurity Europe show, in which we discovered that 41 per cent of IT professionals are carrying sensitive information on their smartphones.
Against a backdrop of 19 per cent of respondents revealing their employers had suffered a breach as a result of a portable device going missing, and more than half of those respondents revealing that the portable device was not encrypted, it is clear that something has to be done.
What was interesting about the results of the survey was 70 per cent of organisations had made data encryption mandatory in their businesses, suggesting that many users of portable devices are breaking their own firm’s security policy rules in their day-to-day business.
This apathy also perhaps explains the fact that 37 per cent of respondents admitted that between four-fifths and all of their sensitive data stored on their portable devices was unprotected.
It’s interesting to note that this proves the case that we are not just dealing with a few files copied to a portable device in a hurry here – perhaps by an employee who is late for an off-site meeting. This is a failing in corporate security policies and their implementation.
So what is the solution to the general apathy surrounding the use of portable devices, and especially Internet-connected devices such as tablet computers and smartphones?
User education, whilst desirable, plainly isn’t working, as most corporate users of technology are probably aware of the security risks posed by their laptop computer.
This understanding has been driven by years of discussion and education by all parts of the IT industry, not least by the resellers and systems integrators that supply this type of kit to most businesses.
Unfortunately for corporate portable device users everywhere, only a handful of those same resellers and systems integrators sell tablet computers into the business environment, whilst most smartphones are sold to companies through cellcos or their dealers.
And, as any mobile user will attest, security is rarely on agenda of the dealers and cellular networks that are busy promoting and selling their handsets plus mobile phone contracts. It’s a non-starter.
It’s against this backdrop that we are left with the stark reality that it will probably take a series of major corporate blunders involving sensitive data lost as the result of a lapse of security in a tablet computer or smartphone, and for the affected company’s reputation and share price to take a consequential battering.
There is nothing like a share price dip of 8 to 10 per cent to focus the attentions of a CEO and CFO, and so pressure the IT manager into deploying sound security solutions and practices to stop an incident from ever happening again.
The irony of this situation will not go unnoticed amongst those IT professionals reading these words and whose experience dates back to the 1990s, when desktop and laptop security was in a similar evolutionary stage as mobile security is today, some two decades later.
And whilst today we have regulatory influences such as the Data Protection Act and the PCI DSS rules applying to any business that stores personally identifying information card transactions, the fact that the Information Commissioner’s Office has only rarely prosecuted an organisation for a breach of the DPA, means that the stick approach will not work.
So what about the carrot approach? That too, sadly, is also probably doomed to failure, so we are left with the need for governance and the tapping of hardware plus software resources to help enforce best practice in the mobile security arena.
Supplemented by corporate policies that prohibit the user of mobile devices without encryption – and treating a breach of the rules as a disciplinary offence – it is possible to change the habits of UK PLC.
The process will, however, take time. Changing portable device user security behaviour is a task similar to steering an giant oil tanker – all changes of course need to be planned some way in advance, but once executed can be relied up on to take effect over a period of time.