IT departments are under increasing pressure to support a wide range of mobile devices. iPhone, iPad, and Google Android devices are joining BlackBerry, Symbian and Windows Mobile smartphones in the workplace, and their numbers are increasing exponentially each month.
Lost or jailbroken mobile phones, along with viruses and malware sent via mobile mail applications, can pose significant threats to enterprise information security. Mobile phones by nature are highly portable and can store large amounts of data. Since they are relatively easy to steal or lose, an unauthorized intruder can gain access to confidential information on an unprotected mobile device in the blink of an eye. Unsecured wireless transmissions can also be captured without the user ever knowing a security breach has occurred.
Biggest Risks to Mobile Security
Mobile phones have not yet been targeted by criminals to the extent that laptops have been attacked. However, smartphones are certainly not immune. While actual incidents of attacks on mobile devices in the enterprise are mostly anecdotal, analysts and security experts all agree that the next few years could be very different -- especially if IT departments are unprepared or slow to implement mobile security strategies.
While employees don't hesitate to use smartphones at work, they are seemingly unaware of the risks associated with storing business information, including corporate e-mail, on their mobile devices.
In a Trend Micro survey, almost 30 percent of the 1,000 mobile workers interviewed believed their smartphones were less likely to be infected than their computers. And 44 percent did not engage security to protect the devices as they browsed the Web, even though 45 percent stated that they had been infected by malware they received over their mobile phone. Additionally, 23 percent of the survey respondents stated that they did not use security on their mobile devices, even though it was preinstalled.
The shortlist of risks to mobile devices includes:
Attack by Application
Smartphone attacks are not commonplace. However, as more mobile workers use them for Web browsing and information distribution, the number of incidents is likely to increase. Running sophisticated mobile applications, smartphones are fostering open application ecosystems that mirror the world of traditional desktop and laptop computers, making mobile devices equally as vulnerable to malware and information theft.
Smartphones are becoming the primary portal for many business apps, including mobile banking and e-mail. Therefore, the data stored - and traveling across these devices -- will increase in value, moving them higher on the target list for data thieves.
While an off-the-shelf iPhone or Android phone is relatively safe, the applications a user chooses to put on the smartphone can render it unsafe. Security experts predict that iPhone and BlackBerry users will be far less prone to attack than other mobile devices, mostly due to the stringent app distribution requirements enforced at the Apple App Store and BlackBerry App World. Both Apple and RIM do not allow unapproved applications on their respective platforms, and developers' apps have to be individually approved for distribution.
However, if a user chooses to compromise, unlock or "jailbreak" the mobile device, then the phone is vulnerable to anything the user downloads, which could put all information stored on the phone, including corporate data and e-mail, at risk.
Users need to be very selective on which programs they choose to run on their smartphones. The first security breaches via rogue apps have already occurred. For example, applications designed to steal banking credentials from users were discovered in Google's Android Market online software store in early 2010. Developed by someone with the alias of Droid09, the apps were disguised as legitimate mobile banking apps and used bank names (without permission) to get users to download and install the application. Once loaded, the apps used phishing techniques and enticed mobile users to submit confidential account information to a bogus bank site.
In addition to application attacks, MMS and SMS functions have also been sources of harm. The "Sexy View" smartphone worm attacks that targeted Nokia phones in 2009 started with a simple text message inviting user to view pictures. When they did, the worm was able to take over the phones much like a botnet takes over a computer. The users were dialed into a Trojan that captures subscriber, phone, and network information and transmits it to a website.
While these attacks were documented and mostly eradicated, the incidents demonstrated the vulnerability of unsuspecting smartphone users to application-based as well as MMS and SMS-based attacks.
Security experts still consider the main threat to information as lost or stolen devices. Although estimates vary widely, In-Stat reports that more than 8 million cell phones are lost each year, making mobile phones, especially smartphones with corporate data, a security breach just waiting to happen.
Protecting Devices and Data
Even though mobile security breaches occur from a variety of causes, the primary challenge for IT departments with mobile devices in the enterprise is consistent: remote management and data protection. Protecting the information on the devices requires IT to understand the many ways security can be compromised, including device loss, malware, bugs, and out-of-date mobile OS software.
IT will always be the lead for a company's security efforts. Stay ahead of potential threats by instituting policies that give IT the capabilities to lockdown the mobile devices, oversee applications and protect corporate data.