If a recent IDC Canada report is any indication, high-profile cases of stolen mobile devices and compromised personal information may have little effect on how Canadian businesses view security threats to wireless and mobile devices.
According to IDC’s Enterprise Security Survey: Threats and Issues, over 35 per cent of large organizations believe wireless and mobile devices pose “no real threat” to IT security, while only 27.3 per cent view these devices as a significant threat.
The discrepancy is even greater among medium-sized firms, where more than 54 per cent said these devices are not a real threat and only 14.7 per cent said they pose security risks.
IDC probed 200 medium-sized organizations and 170 large enterprises in Canada. Trojans, viruses and worms topped the list of security concerns.
“I don’t think medium-sized companies think about security nearly as much as they should and it could potentially be a problem for them down the road,” said Joe Greene, vice-president of IT security research at IDC Canada.
He added that organizations tend to focus more on the “wired world” of worms and viruses, but wireless technology is becoming so pervasive that organizations have to adopt a more holistic strategy around IT security.
While many high-profile breaches have involved stolen laptops, other mobile communication devices such as personal digital assistants (PDAs) and smart phones are also at risk, as they can likewise store significant amounts of sensitive corporate data.
At last month’s Defcon hacker conference in San Francisco, security researcher Jesse D’Aguanno demonstrated what he called the first Trojan horse malware for the BlackBerry device.
It was written to show that while these devices are often not treated with the same concern as PCs, they can be equally dangerous, said D’Aguanno.
A big part of the problem around the security of mobile and wireless devices is the lack of education among employee and business executive users on the risks associated with the use of these types of gadgets, said Ross Chevalier, chief information officer at Novell Canada.
“There’s certainly an element that says maybe folks aren’t as aware as they should be of some of the risks,” Chevalier said. “No security system will survive someone who doesn’t understand the value in using security and who isn’t going to be compliant or try not to be compliant.”
Mobile security and policy enforcement forces people to change the way they use their device, such as locking and unlocking it through a password mechanism or encrypting sensitive files, Chevalier explained.
Policy enforcement is one thing, but getting people to understand why the company is imposing such rules is another. And that is important in getting the organization to become collectively united to protect corporate information assets through mobile use policies, said Chevalier.
IDC’s Greene echoed the call for user education and noted that Canadian companies are already moving in this direction.
Chevalier cited Novell Canada’s own corporate policy for mobile and wireless security. Novell has made it mandatory for all devices to have passwords for user access. A “device-kill” policy was also enabled on wireless machines.
Device-kill is a function in the operating system that deletes all files contained in the device in the event that the password is keyed incorrectly after a prescribed number of attempts.