The productivity benefits of smart phones and other mobile devices are difficult to ignore, and enterprises will continue to role them out across their workforce. For CIOs and other senior IT personnel the time to consider and implement a comprehensive mobile security policy is now.
Security measures should take into account security threats that are both external and internal while enabling a holistic approach that encompasses personalization and other access controls. The mobile environment has numerous weaknesses, and specialized threats are growing increasingly severe. Currently, there are over 300 mobile virus variants loose globally. The latest versions are more sophisticated and attack a device with the purpose of generating revenue or stealing confidential stored data. From an employee’s credit card information to his Outlook appointments, every stored piece of data can be vulnerable.
Sophos’s Security Threat Report 2008 indicated that the wider use of new mobile technologies and Wi-Fi enabled devices may be opening up new vectors of attack for hackers. As personal Wi-Fi devices grow in popularity, the report states, the risks will no doubt increase. Sophos experts also note that low cost ultra-mobile PCs, such as the popular Linux-based ASUS Eee laptop, are likely to gain the attention of the cyber underworld as sales continue to grow.
My own company’s research in cellular operator networks indicates that while infection rates are low overall, corporates are the most vulnerable to viruses for three reasons: firstly, companies tend to use one or two phone types; secondly, employees have similar address books so are more likely to trust an MMS or email from a colleague; and thirdly, few individuals are made to check their bills so high MMS and SMS spend is ignored.
Leaving aside the threat of mobile viruses, which is still early, CIOs are also having to look at the impact of anti-harassment, data protection and industry-specific regulation. An employee who texts an inappropriate joke or sends an offensive picture from his company camera phone to another colleague may place the company under the same liabilities as if he had used email from his work PC. One proof of concept virus downloaded pornographic pictures and sent them to all the contacts on a user’s phone – embarrassing for the sender and potentially damaging for the company if sent to customers.
Legislation has forced CIOs for years to ensure that email and voice communication is logged and archived for future auditability or risk management. But what proportion of a company’s communications occurs over mobile devices, rather than from the office PC and desk phone? Savvy cellular operators are looking at providing message archiving services for corporate customers, moving from being just a carrier to a provider of security services for corporates. Acceptable Use Policies for Web browsing from the office are expected, but Internet-enabled phones and high-speed data cards for laptops allow employees to breach these policies without fear.
Concerns over director’s liabilities notwithstanding, most corporates are now demanding the tools to set and monitor mobile Web usage – to ensure that the spend on mobile data is for legitimate business purposes, not for the latest mp3 downloads.
Mobile security is at a phase similar to that of PC security in the mid-90s, and the familiar debate of how to secure mobile data is occurring. Many mobile devices are not equipped to handle full security measures and filtering at the device level, which would slow down response time, drain a device’s battery and cause an escalation in the corporate’s help desk costs. Instead, for the North American enterprise, controls are best handled on the network of the enterprise’s cellular service provider.
CIOs should plan to engage their mobile operators to work on a security plan that encompasses and is customized for all levels of the organization. For example, some companies may choose to limit access to the mobile Internet or other options based on an employee’s seniority or job function. It is only the mobile operator that has the ability to customize security on an individual level and deliver this as a cost-effective suite of services to the corporate.
Many CIOs will want to put in customizable controls. One large enterprise we know of is blocking all employees’ mobile access to YouTube and other UGC sites. The CIO did not want YouTube draining enterprise network resources, and also had liability concerns around employees downloading inappropriate videos.
Protecting an expanding mobile workforce which is adopting more sophisticated devices and mobile applications requires an innovative approach and an active engagement among the telecommunication and IT groups in addition to the mobile operator. Mobile security should be integrated with all other security to operate seamlessly, and CIOs who act now will be ahead of the game.
Gareth Maclachlan is founder and Chief Operating Officer of mobile security provider AdaptiveMobile. Previously, he was Wireless Investment Director at global VC firm ETF Group. Mr. Maclachlan led projects with the UK Home Office, National Criminal Intelligence Service, Interpol and other UK and European security bodies to assess and respond to the emerging national threats from the Internet.