Lost smartphones pose significant corporate risk

"Unless you employ VPNs to allow smartphone users to connect to the networks, you're left with only a couple of options, both of which may prove unsatisfactory to users in the field: either restricting access to simple web surfing and to lower-sensitivity applications in the demilitarised zone of your corporate network - or blocking access entirely," says Alistair Broom, security director at Dimension Data.

And information security professionals also need to be alert to the growing risk of malware and viruses that specifically target mobile platforms, says John Girard, a security analyst with IT market research company Gartner. A few years ago, there wasn't much standardisation across smartphones and other wireless devices, he told attendees at the company's London IT Security Summit in autumn 2008. Differing operating systems and implementations of mobile Java - even varying configurations among devices with the same operating system - made it hard to write malicious code that ran on a wide array of devices.

But that's changing, because the process of writing malware that can run on a variety of handheld devices has been simplified. Girard has predicted that wireless identity theft and phishing attempts targeting mobile devices will become more prevalent in 2009, so before buying large quantities of handheld devices for their employees, companies need to be sure that the devices meet a minimum set of security specifications, based on what kind of data the devices will handle and the regulations that businesses need to comply with under data protection laws.

Device vendors concur. "We're expecting to see mobile platforms come under attack to a much greater extent in 2009. It will be the year where threats and conjecture will manifest themselves as real risks," says Scott Totzke, vice president of global security at BlackBerry manufacturer Research in Motion (RIM).

Naturally, there's a wide range of mobile security products available to address these issues, supporting enterprise-wide password management, application lockdown, data port disablement and the ability to ‘remote kill' a device lost in the field. But while vendors such as Symantec, McAfee and Trend Micro do a good job supporting the most popular devices, some market-watchers have complained that advanced hardware capabilities, such as locking down cameras or disabling SD card slots, are (at best) patchy.

Neither do these products solve the inherently human aspects of the problem - the fact that users increasingly want a free rein over their choice of device (even if they have to pay for it themselves) and that they insist on using the latest model available, regardless of the problem of support in an age of accelerated upgrade cycles.

"The consumerisation of technology is one of the biggest challenges that enterprises face and, as a new generation enters the workforce, it's only going to increase," says Broom. "That will call for strong policies - and now is the time to start laying the groundwork."