Financial Times: Mobile device security – a ticking time bomb?
by Mark Edwards, CEO, Mformation
Financial Times Personal View, Sept 25, 2008...
As laptop computers have become ubiquitous business tools, IT departments have worked diligently to come up with ways to protect them. Nevertheless, laptop losses and thefts continue to make news.
According to a study by the Ponemon Institute, lost or stolen laptops are the most frequent cause of a data breach, accounting for 49 per cent of data breaches in 2007. And according to CSI’s 12th annual computer crime and security survey, laptop theft accounted for 50 per cent of reported security attacks.
Now mobile phones are well on their way to becoming sophisticated handheld computers that are every bit as irreplaceable to corporate management and staff as any PC or laptop. Many industries have come to rely upon mobile enterprise applications.
BlackBerry devices, for example, have become de rigueur among managers who need always-on access to e-mail, calendar and market information. Government organisations are also using mobile devices to capture information from remote government employees for a wide range of tasks, including emergency services, traffic management and even animal control and tracking.
In the healthcare industry, doctors and case workers can now capture and access health information at the point of care using their mobile devices. Popular mobile enterprise applications used across all industries include salesforce automation, field-force automation, fleet management, inventory management and wireless CRM.
Could the rapid adoption of mobile devices in the enterprise be a ticking time bomb for IT organisations? More and more corporate data resides on them and mobilised applications are being used, not just by management, but by employees at all levels.
However, mobile handsets are very often not under the systematic control of the IT department. Some are not even provided by the company; when the enterprise does not supply mobile devices to employees, they are simply using their personal mobile devices to transact company business, access corporate information and run company applications, with or without the knowledge of the IT organisation.
At the same time, the combination of an increasingly varied set of mobile devices with increasing memory and power, together with a trend towards more powerful, IP-based network infrastructures, is creating a fertile ground for the migration of computer and internet-based threats into the mobile space.
IT departments the world over have responded to these security challenges by implementing a wide range of controls over PCs and laptops – from passwords and encryption to sophisticated tracking, location and access mechanisms – in order to minimise the exposure and business risks of such security breaches. More than a decade of R&D has gone into securing PCs and laptops connected to the internet and corporate intranets. These technologies are now commonplace in enterprise networks.
The same level of attention needs to be paid to the latest wave of highly portable handheld mobile devices. However, simply porting PC-style security and management systems to the wireless arena ignores the very small form factor, extreme portability and vastly different usability expectations that are unique to mobile devices and wireless connections.
IT departments are finding that they need to find a middle ground, leveraging some of the R&D done in the PC/laptop arena while keeping the unique needs and the requirements of the mobile device in mind to ensure the mobile experience is not negatively affected in any way.
Although, so far, infestation of wireless handsets by internet-based security threats has been relatively low, new threats to mobile devices, including malicious programs (viruses, worms and Trojan horses) continue to appear.
In just the last few months, two new Trojan horse viruses, one targeting Symbian SMS messages and another targeting specific Windows Mobile programs; two new worms, one targeting particular Symbian phones and one targeting multimedia cards; and a new spyware application have shown up in the market.
None of these malicious bits of code have caused widespread damage. However, despite the fact that the current threat is not particularly high, most industry experts are saying that the iPhone, Android, and mobile devices with Wi-Fi and other broadband capabilities will undoubtedly be rich targets for malware and viruses in the coming years.
Effective management of a company’s mobile devices, data and applications will mean faster mobilisation of enterprise applications. This, in turn, will lead to increased employee productivity at all levels of the enterprise. Recognition of the trends driving mobile adoption and the unique challenges associated with managing and securing mobile devices is a good first step in ensuring that corporate data is protected, and the business is kept safe while it moves forward with mobilisation initiatives.
The next step is to make sure policies and systems are in place to manage and protect mobile devices, data and applications effectively while supporting the people who increasingly depend on them.
Mark Edwards is the CEO of mobile device management company Mformation.