As mobile phones, smart phones, PDAs, laptops, BlackBerrys and other mobile gadgets spread across the business landscape, CFOs are finding themselves working with CIOs and IT managers to fight an ongoing security war. Lost and stolen devices, porous wireless links and devious employees are among the threats facing enterprises with roaming workforces.
The problem is sneaking up on many CFOs, who often only become aware of it when valuable data is lost or compromised, says Richard Morgan, a director at Sybase, a mobile and wireless enterprise software company in the US. “Mobile device adoption is growing, and this could represent a security threat to enterprises if not managed correctly,” he notes. “The devices that are being deployed are growing in power and capability — with this come added risks.”
Lost, But Not Forgotten
While the potential exposure of mobile-phone users to the dangers of an attack is low, all laptops, smart phones and other mobile devices capable of storing sensitive data can be lost or stolen. So it’s good insurance to secure the data with encryption software, says James Moran, fraud and security director of the GSM Association. Encryption tools are available from numerous vendors, including Smobile, PGP, TrueCrypt Foundation, Data Encryption Systems, SJ NAMO and T3 US.
But Khoi Nguyen, mobile security group product manager for US software security company Symantec, believes that encryption needs to be combined with other safeguards to keep data fully secure. Companies “should use security software that includes antivirus, firewall, data encryption, password protection and device feature blocking,” he says. Symantec, Sybase, McAfee, Trust Digital and Trend Micro are among the many vendors offering mobile security that provide these capabilities.
Philippe Winthrop, business mobility solutions analyst for Strategy Analytics, a technology research firm, suggests that mobile devices should also be “hardened” to prevent users from modifying settings and disabling security technologies when out of the office. “If you don’t know how to do this, find a security expert who can help you make your units tamper-proof,” he says.
Businesses might also want to consider a service such as CompuTrace which uses global positioning system (GPS) technology to track lost or stolen laptops. As soon as someone in possession of a missing laptop signs on to the internet, CompuTrace activates and notifies the police. If the thief doesn’t use the laptop to log on to the internet, or if the laptop can’t be located by authorities, laptop data is still safeguarded by encryption. The mobile device can also be remotely directed to automatically wipe its hard drive clean, thus protecting the information all the same.
Confidential business information isn’t only threatened by lost or stolen mobile devices. Thieves can also whisk data away via wireless means. Wi-Fi networks, which allow devices within a 100-meter radius of a hot spot to access the internet, are particularly vulnerable to attacks. Smart phones and PDAs are now becoming, in essence, permanently attached to corporate networks. Someone can compromise a mobile device from a distance and use it as a gateway to a network without the operator even knowing that it’s happening.
To ensure wireless safety, all mobile devices must include some type of wireless security technology. The first wireless network security standard — Wired Equivalent Privacy (WEP) — was a relatively weak technology. But more recent specifications, such as Wi-Fi Protected Access (WPA), WPA2 and IEEE 802.11i, can be powerful security tools, reckons Nick Magliato, CEO of Trust Digital, a mobile security software company.
Rapidly proliferating Bluetooth technology, which allows connectivity between mobile phones, PDAs, laptops and other gadgets at short distances, is another prime wireless weak spot. As with Wi-Fi, attackers may take advantage of Bluetooth connections to access or download information onto a device.
“Technically, Bluetooth is one of the most insecure wireless technologies” says Bill Nagel, a security, risk and identity management analyst for technology research firm Forrester. “There has been anecdotal evidence of data being stolen via Bluetooth.” To keep snoops at bay, Nagel recommends that users be required to turn off Bluetooth technology whenever it’s not being used.
Wireless VoIP, which allows users to send phone calls over laptops, PDAs and other portable gadgets via a Wi-Fi link, also worries IT security experts. Because VoIP is data-based, it’s vulnerable to many of the malware threats that plague desktop computer users, including viruses, worms, spam and phishing. Wireless VoIP mobile devices can be protected with the same technologies that are used to safeguard wireless data.
Down the road, new wireless technologies like WiMAX, which will blanket entire cities with wireless internet access, will arrive to challenge enterprise management with new security issues. That’s why it’s important to stay on top of emerging trends. Nagel suggests that companies focus on data security as well as device security. “That means knowing what data is most dangerous to lose and where it is stored.”
While BlackBerrys, PDAs and laptops are the devices most closely associated with mobile security lapses, a variety of other “stealth gadgets” are also a potential security trap. MP3 players, for example, can be linked to PCs to store items beyond songs and podcasts — such as confidential reports and top-secret customer lists.
Magliato notes that portable USB drives and memory sticks pose a similar menace. “You never know what’s going to be loaded on or downloaded from these things,” he says. “They’re also very portable, very easy to lose.” Memory sticks can be particularly difficult to control. “People send them in the mail with advertising,” he says.
Even more sinister is the emergence of new pocket-sized gadgets that are designed solely to extract data files from mobile devices. One such product is the Cellular Seizure Investigation Stick (CSI Stick). The size of a cigarette lighter, the unit plugs directly into most Motorola and Samsung mobile phones to grab the data they contain. “When new storage cards, etcetera, are inserted in the handset the user should be prompted to enter a PIN,” advises James Moran.
Getting a handle on mobile device security requires building a strategy that will protect enterprise data while giving employees the flexibility to use emerging technologies in new and productive ways. Sybase’s Morgan recommends developing a formal policy that’s based on balancing business needs and understanding the challenges mobile security poses. “The enterprise needs to define a security policy for mobile devices and then ensure that policy is centrally enforceable through a comprehensive management tool,” he says.
Winthrop notes that security planning needs to keep pace with evolving technologies and threats. “Changes in business, legal and regulatory environments, or the results of audit and risk assessments, may each necessitate a policy update,” he says. He adds that CFOs can’t work in a vacuum. “You need to have business and technical people involved and you have to make the case why the enterprise needs a mobile security plan,” he says.
Morgan observes that mobile security’s ultimate price is never-ending vigilance. “Security in general, and mobile security in particular, is a task that’s never finished,” he states. “Enterprises should accept that mobility, and the challenges that go along with it, are here to stay.”