IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image

Embrace mobile devices - securely!

Sun, 1st May 2011
FYI, this story is more than a year old

In today’s corporate environment, IT departments are under increasing pressure to support a wide range of mobile devices. iPhone, iPad, and Google Android devices are joining BlackBerry, Symbian and Windows Mobile smartphones in the workplace, and their numbers are increasing rapidly. Analyst firm IDC forecasts that smartphone sales in APAC will grow by more than 60% to around 137 million in 2011.Lost or jail-broken mobile phones, along with viruses and malware sent via mobile mail applications, can pose significant threats to enterprise information security. Mobile phones are by nature highly portable and can store large amounts of data. Since they are relatively easy to steal or lose, an unauthorised intruder can gain access to confidential information on an unprotected mobile device in the blink of an eye. Unsecured wireless transmissions can also be captured without the user ever knowing a security breach has occurred.Mobile phones have not yet been targeted by criminals to the extent that laptops have been attacked. However, smartphones are certainly not immune. While actual incidents of attacks on mobile devices in the enterprise are mostly anecdotal, analysts and security experts all agree that the next few years could be very different – especially if IT departments are unprepared or slow to implement mobile security strategies.While employees don’t hesitate to use smartphones at work, they are seemingly unaware of the risks associated with storing business information, including corporate e-mail, on their mobile devices.In a Trend Micro survey, almost 30 % of the 1,000 mobile workers interviewed believed their smartphones were less likely to be infected than their computers. And 44% did not engage security to protect the devices as they browsed the Web, even though 45% stated that they had been infected by malware they received via their mobile phone. Additionally, 23% of the survey respondents stated that they did not use security on their mobile devices, even though it was preinstalled.The shortlist of risks to mobile devices includes:

  • Lost or stolen hardware
  • Viruses and malware
  • Malicious or insecure applications
  • Software/OS patches that are out of date
  • Spam
  • Phishing schemes
  • Jailbroken iPhones
  • Malicious MMS or SMS messages
  • Mobile devices that automatically connect to an unknown Bluetooth device nearby or to open, unsecured Wi-Fi
Attack by ApplicationSmartphone attacks are not commonplace. However, as more mobile workers use them for web browsing and information distribution, the number of incidents is likely to increase. Running sophisticated mobile applications, smartphones are fostering open application ecosystems that mirror the world of traditional desktop and laptop computers, making mobile devices equally as vulnerable to malware and information theft.Smartphones are becoming the primary portal for many business applications, including mobile banking and e-mail. Therefore, the data stored – and travelling across these devices – will increase in value, moving them higher on the target list for data thieves.While an off-the-shelf iPhone or Android phone is relatively safe, the applications a user chooses to put on the smartphone can render it unsafe. Security experts predict that iPhone and BlackBerry users will be far less prone to attack than other mobile devices, mostly due to the stringent application distribution requirements enforced at the Apple App Store and BlackBerry App World. Both Apple and RIM do not allow unapproved applications on their respective platforms, and developers’ applications have to be individually approved for distribution.However, if a user chooses to compromise, unlock or "jailbreak” the mobile device, then the phone is vulnerable to anything the user downloads, which could put all information stored on the phone, including corporate data and e-mail, at risk.Users need to be very selective about which programs they choose to run on their smartphones. The first security breaches via rogue applications have already occurred. For example, applications designed to steal banking credentials from users were discovered in Google’s Android Market online software store in early 2010.Developed by someone with the alias of Droid09, the applications were disguised as legitimate mobile banking applications and used bank names (without permission) to get users to download and install the program. Once loaded, the applications used phishing techniques and enticed mobile users to submit confidential account information to a bogus bank site.In addition to application attacks, MMS and SMS functions have also been sources of harm. The "Sexy View” smartphone worm attacks that targeted Nokia phones in 2009 started with a simple text message inviting user to view pictures. When they did, the worm was able to take over the phones much like a botnet takes over a computer. The users were dialled into a Trojan that captures subscriber, phone, and network information and transmits it to a website.While these attacks were documented and mostly eradicated, the incidents demonstrated the vulnerability of unsuspecting smartphone users to application-based as well as MMS and SMS-based attacks.Security experts still consider the main threat to information as lost or stolen devices. Although estimates vary widely, In-Stat reports that more than 8 million cell phones are lost each year, making mobile phones, especially smartphones with corporate data, a security breach just waiting to happen.For IT professionals, facing the onslaught of personal devices in the workplace, smartphones don’t have to be viewed as a violation of corporate security policies. Since the vast majority of employees are using personal devices at home, harnessing this trend and turning it into an advantage for your company makes sound business sense and will go a long way to keeping employees happy and productive.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X