Lost smartphones pose significant corporate risk

Mislaid laptops have been much in the news, but the lost smartphone poses a significant and growing corporate risk, says Jessica Twentyman.

It's time for IT security professionals to get smart about smartphones. Lost laptops frequently hit the headlines, but relatively little is heard about the threat posed by employees mislaying newer mobile devices, such as Apple's iPhone or RIM's BlackBerry Bold.

Even so, their smaller form-factor makes such devices more vulnerable to loss or theft, and when one considers their growing popularity, coupled with their increased sophistication in terms of storage, browsing capability and connectivity to enterprise networks, it's clear that a massive problem is brewing.

A survey conducted last year by data protection specialist Credant Technologies, for example, found that over 3,000 laptops were left in London taxis over a six-month period. A worrying figure, but it pales into insignificance compared with the 55,000 mobile phones mislaid in the same period - and which are less likely to be claimed by their owners, according to the researchers.

Experts believe mobile device security will be a major focus for IS professionals in 2009. Sales of smartphones in western Europe are set to increase from 113 million units sold in 2008, to 158 million this year, according to analysts at IT market research company Gartner. Many of these devices will be embraced by employees eager to have corporate email, applications and intranet access enabled on a single, portable device.

This will leave many IT departments with the task of configuring, securing and managing larger numbers of mobile voice and data devices, based on a range of different mobile platforms. Security professionals in particular will be called on to organise back-end connectivity and synchronisation of personal information management software and to provide users with other portable applications.

The risks posed by increasingly smart mobile devices are twofold: the potential for loss or theft of their sensitive data; and their ability to connect unauthorised users to corporate networks.

Missing in action
Mobile computing may be unshackling employees from their desks, but one of the biggest problems posed by this generation of smart devices is that they are rarely given the same level of risk assessment as laptops.

"It's time to start treating smartphones as mini laptops and make them subject to the same stringent information security policies," says Donal Casey, a security consultant at IT consultancy Morse. "The device I carry everywhere with me has 16GB of memory and is packed with documents, spreadsheets and emails," he says. But if he loses that device, he adds, "all I will lose is the device itself, because the data is encrypted and can't be accessed by anyone else".