It was about four years ago when the IT department at Chris McClanahan's Fortune 500 financial services company began noticing a widespread influx of so-called smartphones seeking connection to the corporate network.
McClanahan, the firm's principal engineer and client-side computing architect, quickly realized that although these internet-and-email-enabled mobile devices offered significant productivity capabilities for employees (while being slender enough to fit in a pants pocket), they carried many of the same risks found on traditional computers. But, like many other big firms, it has been a work in progress to get the hundreds of employees using such devices as Palm Treos and BlackBerries to also appreciate the security ramifications, he says.
The first step, McLanahan recalls, was to take back control.
“At first, we let everyone purchase their own devices and calling plans, and we tried to lock it down,” he says. “Now, we're moving toward providing the device and the line ourselves and treating it just like another workstation.”
That means encrypting the devices, authenticating users and routing internet functions through the company's proxy to filter out any sites deemed insecure, he says.
But as laptop data-loss incidents continue to blaze across headlines each week, most organizations seem even less prepared to deal with the onslaught of mobile devices, experts say. Gartner has reported that worldwide shipments of PDAs and smartphones increased 57 percent to 42.1 million in the first half of 2006, compared to the same period a year earlier.
IT security experts seem to be in agreement that the biggest risk handhelds pose to businesses today is the threat of lost devices containing sensitive corporate data. Other dangers, such as in-the-wild malware, wireless hijacking and spam SMS (short message service) messages, are already prevalent in Europe and Asia, but they're not here...yet.
“The data that we have from our customer base is there's much more sensitivity to information stored on small portable devices — especially those that can receive corporate email — than there is for a virus outbreak that can take down a phone,” says Bob Egner, vice president of product management at Redwood City, Calif.-based Check Point Software Technologies.
However, the sky is not going to fall tomorrow, next week or probably even next year, say experts. In fact, John Kindervag, a senior security architect at Atlanta-based risk management firm Vigilar, says a recent mobile device assessment he conducted for a financial services firm netted little reason for executives to worry. But, Kindervag's company did recommend encryption.
He was also concerned with people who appeared to purposely lose their mobile devices just so they could get a newer model.
“A lot of them say they fell in toilets. How many people over the course of a day or week can drop their mobile devices in toilets? That became the running joke.”
Khoi Nguyen, group product manager of mobile security at Symantec, says most smartphones do not even have basic password protection, an oversight that could have true detrimental effects considering the average user is more likely to misplace a phone than a laptop.
Another problem arises when it comes to reporting these incidents. Many employees either may not feel obligated to do so if it is their personal device or may not realize sensitive data rests on the device.
“I don't know any company who has a really good written technical policy to be able to control these devices,” says Daniel Hoffman, author of Blackjacking: Security Threats to Blackberry Devices, PDAs and Cell Phones in the Enterprise. “I don't know a single one.”
But he should, if for no other reason than the fact that many organizations are subject to standards, such as Securities and Exchange Commission regulations or Sarbanes-Oxley, which stipulate that corporate exchanges, whether through email or over SMS, must be documented.
“If you're an organization that is subject to SOX, then absolutely what you need to do is prove you have control of the data,” says Matt Fisher, vice president marketing, at Centennial Software, a U.K.-based provider of IT governance solutions.
Thieves follow market share
Symantec researchers say that for every mobile virus that appears, there are between 500 and 600 that hit the PC. So far, there have been scattered reports of mobile malware, other than some proof-of-concept viruses, and many mobile operating systems are locked down and decide which third-party applications can run, experts say. “What is the benefit of a virus writer to start targeting phones?” Egner says.
But, the tide could be turning, as mobile banking services and other richer client applications begin appearing. Meanwhile, nifty new handhelds, particularly the iPhone, have invited hacker interest in the mobile device space.
Bob Egan, chief analyst at the TowerGroup, predicts in a January report that mobile viruses affecting financial institutions are a real and present danger. Still, so far, there have been few notable reports of mobile viruses in the United States. Users in Asia and Europe already have witnessed the Mosquito trojan, which infects a device so it calls high-fee phone numbers, and the Cabir worm, which spreads over the Symbian operating system via Bluetooth and proves more of an annoyance than anything else.
“There's the potential for more nasty stuff to happen,” says Todd Thiemann, director of device security marketing at Cupertino, Calif.-based Trend Micro. “All it's going to take is one [Veterans Affairs] event with a mobile device to stimulate concern in this area.”
If any malicious software is making headway on mobile devices, it might be what is known as “snoopware.” A Thailand-based company offers FlexiSpy, a keylogging program that is marketed to jealous spouses so they can spy on their significant others.
Meanwhile, the threat of wireless vulnerabilities is a real concern and one that could soon impact mobile users, says David King, chairman and CEO of Mountain View, Calif.-based wireless security firm AirTight Networks.
“Hackers have figured out that the most vulnerable spot is the over-the-air connection,” he says. “Reported incidents of theft and privacy lost over the air is growing every day.”
That means mobile users who connect through a WiFi access point may open the door for unauthorized intrusion, experts say. If the VPN is turned on — the recommended protocol for employees using handhelds — the session is encrypted, but attackers still may be able to seed the network with malware, King says.
The problem, King says, is that many organizations are not extending mobile VPN clients to their devices because of their limited memory processing capabilities.
“There's not a lot of good, lightweight VPNs that sit on these devices,” he says. “You can't put a standard VPN client in the PDA or cell phone. That kind of software doesn't reside well in a limited form-factor device.”
Security built in
The burden for safeguarding mobile devices does not solely rest on the organization deploying them, although clear company polices are key.
But long before smartphones and PDAs make their way to an employee, wireless carriers, device manufacturers and makers of supporting software are busy investing in security to protect against today's (and tomorrow's) threats.
Sprint, for instance, has partnered with a number of providers so it can offer device management (from Nokia Intellisync) and encryption, firewall, mobile VPN and anti-virus (from Mobile Armor), says Mark Haase, product manager of mobile security at Sprint. The carrier offers these capabilities to its customers for additional fees.
BlackBerry, the popular brand manufactured by Canada-based Research in Motion (RIM), is most concerned with users misplacing the devices, says Scott Totzke, vice president of the global security group at RIM. The phone provides transport encryption — similar to a VPN — in addition to encrypting data on the handset itself. To prevent malware intrusions, the device contains a firewall to fight SMS spam, and all applications run in a virtual environment, which buffers hardware from malicious software, Totzke says.
Users say they appreciate BlackBerry's security features. “The worst thing I worry about is email,” says Sharon Finney, information security administrator for Decatur, Ga.-based DeKalb Medical Center, an 800-bed facility. “We require all employees to password-protect their BlackBerry. If that device is reported lost, we remotely wipe it clean.”
Finney, who uses Proofpoint solutions for email and spam filtering, says the hospital has issued about 40 BlackBerries and has since instituted a number of other security requirements, such as prohibiting users from accessing clinical applications over smartphones or connecting the devices to PCs.
Motorola Good Technology Group, which makes software that allows email and other applications to run on Windows Mobile and Palm operating system-enabled devices, sells its solutions to roughly 12,000 enterprise customers, says Dan Rudolph, director of product marketing. The software offers visibility and management by providing remote wipes, password resets and application checks.
Still, it seems the best solution for businesses — and perhaps the hardest concept for many to grasp — is common sense when it comes to these helpful, miniature devices.
Author Hoffman, who is also a senior systems engineer at Fiberlink Communications, a mobile security company, Blue Bell, Pa., says, “Treat the PDAs exactly the way you would a laptop with the same protection.”