Lost smartphones pose significant corporate risk

Mislaid laptops have been much in the news, but the lost smartphone poses a significant and growing corporate risk, says Jessica Twentyman.

It's time for IT security professionals to get smart about smartphones. Lost laptops frequently hit the headlines, but relatively little is heard about the threat posed by employees mislaying newer mobile devices, such as Apple's iPhone or RIM's BlackBerry Bold.

Even so, their smaller form-factor makes such devices more vulnerable to loss or theft, and when one considers their growing popularity, coupled with their increased sophistication in terms of storage, browsing capability and connectivity to enterprise networks, it's clear that a massive problem is brewing.

A survey conducted last year by data protection specialist Credant Technologies, for example, found that over 3,000 laptops were left in London taxis over a six-month period. A worrying figure, but it pales into insignificance compared with the 55,000 mobile phones mislaid in the same period - and which are less likely to be claimed by their owners, according to the researchers.

Experts believe mobile device security will be a major focus for IS professionals in 2009. Sales of smartphones in western Europe are set to increase from 113 million units sold in 2008, to 158 million this year, according to analysts at IT market research company Gartner. Many of these devices will be embraced by employees eager to have corporate email, applications and intranet access enabled on a single, portable device.

This will leave many IT departments with the task of configuring, securing and managing larger numbers of mobile voice and data devices, based on a range of different mobile platforms. Security professionals in particular will be called on to organise back-end connectivity and synchronisation of personal information management software and to provide users with other portable applications.

The risks posed by increasingly smart mobile devices are twofold: the potential for loss or theft of their sensitive data; and their ability to connect unauthorised users to corporate networks.

Missing in action
Mobile computing may be unshackling employees from their desks, but one of the biggest problems posed by this generation of smart devices is that they are rarely given the same level of risk assessment as laptops.

"It's time to start treating smartphones as mini laptops and make them subject to the same stringent information security policies," says Donal Casey, a security consultant at IT consultancy Morse. "The device I carry everywhere with me has 16GB of memory and is packed with documents, spreadsheets and emails," he says. But if he loses that device, he adds, "all I will lose is the device itself, because the data is encrypted and can't be accessed by anyone else".

Not every user is so careful, however. A recent survey of IT security decision-makers, conducted by information management software company Sybase, found that 71 per cent of companies rely solely on their employees to secure their mobile device, even though 87 per cent of them reported usability frustrations with security features.

"It's not the device that matters here, it's the data it contains, but that tends to be forgotten," says Jörg Schneider-Simon, a mobile device security expert at Trend Micro. "In fact, I'd go so far as to say that, within some organisations, certain data shouldn't even be downloaded to a mobile device in the first place - if it's sensitive personal information about customers, for example, or intellectual property."

To counter the threat of data loss, all mobile devices should (at the very least) be password-protected and passwords should be reset regularly, says Casey. "Users may complain about this and say that it's an inconvenience, but it's also the easiest way of ensuring that unauthorised users aren't able to snoop," he says.

Smart companies, he adds, enforce passwords that include upper and lower case characters plus a number or two - and that ‘time out' after a reasonable period, typically five minutes. A longer ‘idle time' will potentially allow a thief to access and exploit contents with relative ease, while a very short time-out will require users to constantly enter their passwords - frustrating for them, and potentially useful to ‘shoulder surfers', covertly observing the process.

Encryption is vital, too, says Greg Day, security analyst with McAfee, but this presents many organisations with a dilemma: at what level should encryption be applied? "You don't want to make life too complicated for users - and complex encryption quickly develops a bad reputation with busy people on the move," he says. That said, encryption at the device level is a must-have for all organisations, he adds, while encryption at file or folder level is a decision typically made according to an individual company's appetite for, or tolerance of, security risk.

But when it comes to encryption, there are significant trade-offs to bear in mind. Full device-level encryption can hamper performance and battery life, but also means that all data is effectively protected. On the other hand, file or folder-level encryption is less processing-intensive, certainly, but requires a complex process of data classification to ensure that sensitive data is encrypted while other data is not.

Back-end threat
Safeguarding data stored on the device itself is only the start of a successful smartphone security strategy, however. Increasingly, there's also the data held on back-end enterprise systems to consider. This kind of information is now accessed by smartphones as well as laptops on a regular basis, and this is why a number of mobile device manufacturers have started to incorporate support for virtual private networks (VPNs) in their enterprise-class products.

There's good reason for that: to many organisations, the prospect of users hopping onto a WiFi hotspot at their local coffee shop is unacceptable, whatever device they adopt. Working with VPNs that require users to authenticate and connect to back-end through secure tunnels protects sensitive data in transit.

"Unless you employ VPNs to allow smartphone users to connect to the networks, you're left with only a couple of options, both of which may prove unsatisfactory to users in the field: either restricting access to simple web surfing and to lower-sensitivity applications in the demilitarised zone of your corporate network - or blocking access entirely," says Alistair Broom, security director at Dimension Data.

And information security professionals also need to be alert to the growing risk of malware and viruses that specifically target mobile platforms, says John Girard, a security analyst with IT market research company Gartner. A few years ago, there wasn't much standardisation across smartphones and other wireless devices, he told attendees at the company's London IT Security Summit in autumn 2008. Differing operating systems and implementations of mobile Java - even varying configurations among devices with the same operating system - made it hard to write malicious code that ran on a wide array of devices.

But that's changing, because the process of writing malware that can run on a variety of handheld devices has been simplified. Girard has predicted that wireless identity theft and phishing attempts targeting mobile devices will become more prevalent in 2009, so before buying large quantities of handheld devices for their employees, companies need to be sure that the devices meet a minimum set of security specifications, based on what kind of data the devices will handle and the regulations that businesses need to comply with under data protection laws.

Device vendors concur. "We're expecting to see mobile platforms come under attack to a much greater extent in 2009. It will be the year where threats and conjecture will manifest themselves as real risks," says Scott Totzke, vice president of global security at BlackBerry manufacturer Research in Motion (RIM).

Naturally, there's a wide range of mobile security products available to address these issues, supporting enterprise-wide password management, application lockdown, data port disablement and the ability to ‘remote kill' a device lost in the field. But while vendors such as Symantec, McAfee and Trend Micro do a good job supporting the most popular devices, some market-watchers have complained that advanced hardware capabilities, such as locking down cameras or disabling SD card slots, are (at best) patchy.

Neither do these products solve the inherently human aspects of the problem - the fact that users increasingly want a free rein over their choice of device (even if they have to pay for it themselves) and that they insist on using the latest model available, regardless of the problem of support in an age of accelerated upgrade cycles.

"The consumerisation of technology is one of the biggest challenges that enterprises face and, as a new generation enters the workforce, it's only going to increase," says Broom. "That will call for strong policies - and now is the time to start laying the groundwork."