As companies clamp down on their IT systems to ensure they are safe from tampering and information leaks, one threat remains difficult to neutralize: hand-held devices. For the most part, employees who use PDAs, cell phones and their smartphone cousins have unfettered access to their office computers, and by extension the network to which they link.
“Given the significant risks posed by mobile devices, companies should take immediate steps to review mobile usage and security policies, and implement security and management tools,” Forrester analyst David Friedlander wrote in the August report “Managing and Securing Mobile Devices.”
Security breaches through mobile devices can happen in numerous ways. Devices can be lost or stolen; hackers can access a network through wireless devices or access the devices themselves; and mobile viruses, now in their infancy, can spread and attack IT networks.
Part of the problem lies in the increasingly abilities of these small devices, which can hold private e-mail correspondence, the personal data of clients, a company’s proprietary information (such as PowerPoint presentations), almost anything a mobile worker needs to do her job. This makes companies more vulnerable, especially if they don’t know who is carrying what device and what is stored on it.
“The most infrequent security breach is someone from the outside coming in, second most unlikely is someone on the inside being malicious, but what happens daily is people doing something that has a security ramification without thinking about it,” Ed Moyle, president of Security Curve, told TechNewsWorld.
Companies Lack Mobile Security
Steve Hunt, vice president and research director for security at Forrester, said that only 9 percent of companies recently surveyed have deployed a mobile management tool, while another 20 percent said they would deploy tools within a year or have a pilot program.
The problem is not one with a simple solution, partly because the real solution lies not in technology but in the mindset of the employees who use mobile devices.
Credant Technologies, a 3-year-old mobile security firm, offers a software product it says is unique in its ability to detect and automatically protect each approved mobile device that synchronizes to a computer within a company’s network.
Credant’s Mobile Guardian (CMG) detects any device trying to sync, sets and enforces authentication regulations and automatically encrypts databases and folders. It can also disable potentially threatening programs such as cameras, Bluetooth and infrared beaming, and also purge data from a lost or stolen device.
CMG also allows IT management consoles to hook directly into an LDAP directory system, making it easier to update employee information, add new employees who need access to the network or delete those who should no longer be granted entry, Ian Gordon, Credant’s vice president of marketing, told TechNewsWorld
Keeping Security in Place
Gordon said that the key to his company’s solution is its ability to automatically install security software onto syncing devices and check every time to make sure that software is still installed.
As Moyle said, “The problem is that users don’t want to be controlled, they bought their Blackberry for a reason, to do their work more easily. They’ll try to go around the controls.”
But all the experts agree that no amount of mobile security will be enough without employee education.
“The best thing you can do is not a technology solution, it’s awareness,” Moyle said. “If employees know that keeping the client list on the PDA is not a good idea and they know why, they’re less likely to do it.”
Gordon agrees: “For most folks, if it’s a personally owned device, they have a mix of personal and business information on it. You have to make the case to the employee that it’s a good thing from a business perspective and personal perspective.”
For some vertical industries, the stakes are very high. Regulatory compliance laws — such as Sarbanes-Oxley, the public company accounting reform and investor protection act, and the Health Insurance Portability and Accountability Act (HIPAA) — require companies to keep a tight rein on information.
Randy Maib, senior IT consultant for Integris Health, a not-for-profit health care organization in Oklahoma, said that HIPAA propelled him to seek a security solution. “The local network-to-PDA platform was main focal point for our search for a product,” Maib told TechNewsWorld. One of his concerns, he said, was doctors who used mobile devices as they traveled from one health facility to another. Concerns were “not just from a clinical perspective; CEO and CIO have a lot of business information available,” he added.
Integris has begun deploying Credant’s solution in an attempt to add another layer of password security. The health-care company has just shifted its IT security group under the umbrella of its legal department and is planning to add the gatekeeper and encryption components of CMG, Maib said.
Policy Plus Enforcement
All the security experts agree that a strong employee-awareness program coupled with a clear, detailed management policy on mobile devices must underpin any other efforts. But the policies alone are not enough. According to Friedlander’s report, 30 IT professionals who attended GigaWorld IT Forum 2004 were asked if their companies had adequate mobile security policies. They all said yes. When asked whether the companies could enforce those policies, only four believed they could.
“There are a lot of good products that can get you part of the way,” Moyle said, “but I’m a firm believer in awareness, and not once-a-year awareness, but regular reminders.”
An attack on several fronts is necessary to combat this growing problem, both Credant executives and security analysts said.
“The emergence of worms, viruses and Trojans for mobile devices is an early warning to enterprises of the insecurity of PDA and smartphone operating systems. It is time to start treating smartphones and wireless PDAs for what they are: small yet fully functional computers connected to your enterprise and not relatively safe personal devices that fall outside the purview of IT management,” Bernt stergaard and Carl Zetie of Forrester Research wrote in “Mobile Devices Under Attack” in September.
Get Started Now, Experts Say
How an enterprise does that depends a lot on its needs. Moyle suggests that along with education, antivirus protection and firewalls, the Microsoft Encrypting File System included with Microsoft operating systems might be enough for some. Others might seek out a solution such as Credant’s.
The field is still in its infancy. At the end of October, Intel, IBM and NTT DoCoMo launched their own security technology for mobile devices. The “Trusted Mobile Platform,” combines hardware and software components and protocols to create a barrier to the spread of viruses from one device to another. In August, Nokia and Swedish security company Pointsec Mobile Technologies said they were working to develop an encryption tool for high-end phones. Hewlett-Packard packages CMG with some of its iPAQs.
Although mobile security itself is evolving, experts agree that companies cannot wait, but must begin the planning process to secure their employees’ mobile devices today.