Mislaid laptops have been much in the news, but the lost smartphone poses a significant and growing corporate risk. By Jessica Twentyman.
It's time for IT security professionals to get smart about smartphones. Lost laptops frequently hit the headlines, but relatively little is heard about the threat posed by employees mislaying newer mobile devices, such as Apple's iPhone or RIM's BlackBerry Bold.
Even so, their smaller form-factor makes such devices more vulnerable to loss or theft, and when one considers their growing popularity, coupled with their increased sophistication in terms of storage, browsing capability and connectivity to enterprise networks, it's clear that a massive problem is brewing.
A survey conducted last year by data protection specialist Credant Technologies, for example, found that over 3,000 laptops were left in London taxis over a six-month period. A worrying figure, but it pales into insignificance compared with the 55,000 mobile phones mislaid in the same period – and which are less likely to be claimed by their owners, according to the researchers.
Experts believe mobile device security will be a major focus for IS professionals in 2009. Sales of smartphones in western Europe are set to increase from 113 million units sold in 2008, to 158 million this year, according to analysts at IT market research company Gartner. Many of these devices will be embraced by employees eager to have corporate email, applications and intranet access enabled on a single, portable device.
This will leave many IT departments with the task of configuring, securing and managing larger numbers of mobile voice and data devices, based on a range of different mobile platforms. Security professionals in particular will be called on to organise back-end connectivity and synchronisation of personal information management software and to provide users with other portable applications.
The risks posed by increasingly smart mobile devices are twofold: the potential for loss or theft of their sensitive data; and their ability to connect unauthorised users to corporate networks.
Missing in action
Mobile computing may be unshackling employees from their desks, but one of the biggest problems posed by this generation of smart devices is that they are rarely given the same level of risk assessment as laptops.
“It's time to start treating smartphones as mini laptops and make them subject to the same stringent information security policies,” says Donal Casey, a security consultant at IT consultancy Morse. “The device I carry everywhere with me has 16GB of memory and is packed with documents, spreadsheets and emails,” he says. But if he loses that device, he adds, “all I will lose is the device itself, because the data is encrypted and can't be accessed by anyone else”.
Not every user is so careful, however. A recent survey of IT security decision-makers, conducted by information management software company Sybase, found that 71 per cent of companies rely solely on their employees to secure their mobile device, even though 87 per cent of them reported usability frustrations with security features.
“It's not the device that matters here, it's the data it contains, but that tends to be forgotten,” says Jörg Schneider-Simon, a mobile device security expert at Trend Micro. “In fact, I'd go so far as to say that, within some organisations, certain data shouldn't even be downloaded to a mobile device in the first place – if it's sensitive personal information about customers, for example, or intellectual property.”
To counter the threat of data loss, all mobile devices should (at the very least) be password-protected and passwords should be reset regularly, says Casey. “Users may complain about this and say that it's an inconvenience, but it's also the easiest way of ensuring that unauthorised users aren't able to snoop,” he says.
Smart companies, he adds, enforce passwords that include upper and lower case characters plus a number or two – and that ‘time out' after a reasonable period, typically five minutes. A longer ‘idle time' will potentially allow a thief to access and exploit contents with relative ease, while a very short time-out will require users to constantly enter their passwords – frustrating for them, and potentially useful to ‘shoulder surfers', covertly observing the process.
Encryption is vital, too, says Greg Day, security analyst with McAfee, but this presents many organisations with a dilemma: at what level should encryption be applied? “You don't want to make life too complicated for users – and complex encryption quickly develops a bad reputation with busy people on the move,” he says. That said, encryption at the device level is a must-have for all organisations, he adds, while encryption at file or folder level is a decision typically made according to an individual company's appetite for, or tolerance of, security risk.
But when it comes to encryption, there are significant trade-offs to bear in mind. Full device-level encryption can hamper performance and battery life, but also means that all data is effectively protected. On the other hand, file or folder-level encryption is less processing-intensive, certainly, but requires a complex process of data classification to ensure that sensitive data is encrypted while other data is not.
Safeguarding data stored on the device itself is only the start of a successful smartphone security strategy, however. Increasingly, there's also the data held on back-end enterprise systems to consider. This kind of information is now accessed by smartphones as well as laptops on a regular basis, and this is why a number of mobile device manufacturers have started to incorporate support for virtual private networks (VPNs) in their enterprise-class products.
There's good reason for that: to many organisations, the prospect of users hopping onto a WiFi hotspot at their local coffee shop is unacceptable, whatever device they adopt. Working with VPNs that require users to authenticate and connect to back-end through secure tunnels protects sensitive data in transit.
“Unless you employ VPNs to allow smartphone users to connect to the networks, you're left with only a couple of options, both of which may prove unsatisfactory to users in the field: either restricting access to simple web surfing and to lower-sensitivity applications in the demilitarised zone of your corporate network – or blocking access entirely,” says Alistair Broom, security director at Dimension Data.
And information security professionals also need to be alert to the growing risk of malware and viruses that specifically target mobile platforms, says John Girard, a security analyst with IT market research company Gartner. A few years ago, there wasn't much standardisation across smartphones and other wireless devices, he told attendees at the company's London IT Security Summit in autumn 2008. Differing operating systems and implementations of mobile Java – even varying configurations among devices with the same operating system – made it hard to write malicious code that ran on a wide array of devices.
But that's changing, because the process of writing malware that can run on a variety of handheld devices has been simplified. Girard has predicted that wireless identity theft and phishing attempts targeting mobile devices will become more prevalent in 2009, so before buying large quantities of handheld devices for their employees, companies need to be sure that the devices meet a minimum set of security specifications, based on what kind of data the devices will handle and the regulations that businesses need to comply with under data protection laws.
Device vendors concur. “We're expecting to see mobile platforms come under attack to a much greater extent in 2009. It will be the year where threats and conjecture will manifest themselves as real risks,” says Scott Totzke, vice president of global security at BlackBerry manufacturer Research in Motion (RIM).
Naturally, there's a wide range of mobile security products available to address these issues, supporting enterprise-wide password management, application lockdown, data port disablement and the ability to ‘remote kill' a device lost in the field. But while vendors such as Symantec, McAfee and Trend Micro do a good job supporting the most popular devices, some market-watchers have complained that advanced hardware capabilities, such as locking down cameras or disabling SD card slots, are (at best) patchy.
Neither do these products solve the inherently human aspects of the problem – the fact that users increasingly want a free rein over their choice of device (even if they have to pay for it themselves) and that they insist on using the latest model available, regardless of the problem of support in an age of accelerated upgrade cycles.
“The consumerisation of technology is one of the biggest challenges that enterprises face and, as a new generation enters the workforce, it's only going to increase,” says Broom. “That will call for strong policies – and now is the time to start laying the groundwork.”
SMARTPHONE OPTIONS FOR THE BUSY INFORMATION SECURITY PROFESSIONAL
According to BlackBerry manufacturer, Research in Motion (RIM), the BlackBerry Bold earned its name during user testing, where it was praised for the quality of its bright, wide screen. With a full Qwerty keyboard, it is wider than competing devices, and excellent for reading emails, browsing the web and editing documents.
It also marks a bold step for BlackBerry into the world of state-of-the-art smartphones. The device's support for HSDPA 3G and WiFi – which was lacking previously – is a major plus point, as is GPS.
The BlackBerry interface has had a fairly radical makeover and is far less ‘busy' than earlier versions, giving it a more polished look that should help it compete against the iPhone generation of smartphones. On the downside, the 2-megapixel camera is a weakness and, in the past, some have found the BlackBerry trackball tricky to handle.
It seems that RIM is finally listening to a market where business executives are looking to replace ‘boring' business phones by devices with a more consumer-oriented look and feel. From an IT administration perspective, RIM's BlackBerry Enterprise Server (BES) offers a comprehensive approach to managing, controlling and deploying devices across a corporate infrastructure.
The E71 is Nokia's first 3G phone with a full Qwerty keyboard, in an admirably thin and compact format that also features HSDPA, WiFi, a 3-megapixel camera and a more basic camera on the front for video calling.
Out of the box, the E71 offers a web browser, email client, some pre-installed games and support for push email – but, because it's powered by the Symbian S60 platform, users can also choose from a vast and growing range of Symbian applications, such as IM clients for Skype and Windows Live Messenger.
An interesting feature of the E71 is its implicit recognition that users are looking for a device that can support both business and personal needs; with that in mind, the E71 can be set up with two different start pages, one for home and one for work.
Nokia executives refer to this feature as ‘Mode Switching' and claim that it's useful if you like to keep the two aspects of your life separate, while still having full access to all of your contacts.
As such, Mode Switching is firmly aimed at the ‘prosumer' (the combo of professional or producer with the word consumer), taking what many want from an iPhone and need from a BlackBerry and cramming them both into a super-slim package.
It's early days for the T-Mobile G1, the first mobile phone powered by Google's Android platform. Manufactured by HTC, it's already a strong consumer offering, but business users might be wise to hold off until certain shortcomings are addressed. The device doesn't support Exchange, for starters, so users can't synchronise with their Outlook email, calendar, contacts and so on. Bluetooth is only present in the form of handset and headset support – but not file transfer. And those looking to edit Office-based documents will be disappointed, as the G1 comes with a reader but no editing functionality. It's likely this will be addressed by the Android Market, where third-party developers will be able to offer Android-centric plug-in apps.
On the plus side, the T-Mobile G1 features not only an easy-to-navigate and intuitive touchscreen, like the iPhone, but also a Qwerty keyboard that slides in and out, and a trackball for navigating around the screen. It delivers a number of core functions and offers tight integration with Google's products, including Gmail, Google Maps and Google Calendar; multimedia capabilities are also well represented.
There are more Android-powered phones to come, with LG and Samsung expected to deliver mobiles that run on the software in 2009.
APPLE IPHONE 3G
When the iPhone first came out in 2007, many would-be customers were disappointed to see that it lacked 3G. But by the launch of the iPhone 3G in mid-2008, Apple had taken significant steps in refining and improving the iPhone, making it more appealing not only to a wider consumer audience, but also to business users. For a start, the iPhone now offers tri-band 3G, with both standard UMTS and HSDPA data services supported, the latter delivering a significant improvement in download speeds for web pages and other data. GPS is another important addition.
In terms of enterprise features, the iPhone now supports Microsoft Exchange push email. The inclusion of ActiveSync enables over-the-air synchronisation of calendar entries and global address lists. It extends to a number of centralised enforced IT policy and security measures, including remote wipe and configuration and WPA2 Enterprise and 802.1x wireless security.
For ensuring that remote connections between the iPhone and the enterprise back-end are secure, the handset now supports Cisco IPsec VPN protocols, with support for two-factor token authentication, as well as conventional password or certificate authentication.
SOME IDEAS FOR YOUR MOBILE POLICY CHECKLIST
It's a fact of life that innovation runs faster in the consumer space than it does in corporate environments. And in many IT departments, that's sparking a fierce debate as to whether user-owned smartphones should be actively supported – or banned outright.
At IT market analyst company Gartner, the consensus seems to be that banning simply isn't an option. “Make sure you have a strategy in place for employee-owned devices. Most of us can't afford to say ‘no' [to users],” says Nick Jones, a Gartner analyst. “It will just happen behind the scenes without you knowing about it,” he adds.
Instead, Gartner analysts advocate a ‘managed diversity' approach, in line with their prediction that, by 2012, one-third of knowledge workers in the US and Europe will access corporate data from a personal mobile device at least once a week. This approach encompasses a number of best practices, including restricting devices to a manageable subset (for example, Windows Mobile 6.X or ‘devices with an HTML browser') and actively monitoring for unexpected devices and behaviours.
As with all security policies, user compliance is key and education plays a vital role in delivering this. Mobile usage policies need to address:
- Password protection: mobile devices on which company information is stored, or which are used to connect to company networks, should be password-protected with strong PINs. These should be changed regularly and expire after a reasonable period.
- Storage card protection: most smartphones now support the use of SD, mini SD or other flash memory cards to add a large amount of storage space to the device. These must be encrypted to ensure they can't be removed from the device and accessed by another memory-card reader.
- File encryption: where particularly sensitive data is downloaded onto smartphones, individual files should be encrypted centrally to further protect their contents.
- Backup: to protect against loss of valuable company data, smartphones should be regularly backed up to a secure location.
- Software restrictions: policies should clearly outline what software users will be permitted to install on any mobile device that connects to the corporate network.
- Acceptable use: employees must clearly understand how they are permitted to use smartphones, whether company-owned or personal. Will they be allowed to connect to the network via VPN? Can they connect to their desktop PC to synchronise files? What kind of support can they expect from the IT department? What are their personal responsibilities when it comes to security?