3 min read

Interop: Mobile Security Is Weak Link

Despite their growing prevalence in the enterprise, smartphones are the poor cousin when it comes to data protection—and that has to change.
While most enterprises have well defined policies for securing laptops and PCs, many still treat mobile devices as an afterthought even though the latter are increasingly likely to be in widespread use and contain valuable corporate data.

"The smartphone is the new computer--we're seeing that on steroids now," said editor-in-chief Alex Wolfe, who moderated an Interop Las Vegas panel Wednesday called Mobile Security: New Challenges—Practical Solutions.

"But security is the elephant in the room," said Wolfe.

And it's likely to be a growing problem for businesses. Gartner predicts smartphones will surpass PCs and laptops as users' primary computing devices by 2013, when more than 600 million units will be in use.

"The smartphone puts the same data you have on a laptop out into the field," said panelist David Perry, Global Director of Education at Trend Micro. Perry said 100,000 new pieces of malware make their way into the wild every day. The risk is such that "I don't have any important data with me ever," said Perry.

For CIOs and other tech officials, ensuring mobile security is more challenging than locking down PCs due to the number of platforms on the market—combined with the fact that employees tend to use their personal devices for work-related tasks.

"There's a consumerization effect occurring," said panelist Khoi Nguyen, group product manager for Symantec's Mobile Security Group.

Indeed, major platform providers like Google, Microsoft, RIM, and Symbian all have their own methods of implementing security standards and features. And if HP can restore Palm's status as a significant player in themarket through its proposed, $1.2 billion buyout, IT managers' multi-platform inspired headaches could get worse, said Khoi.

Still, there's an upside to the diversity—at least for now. "The main advantage for mobile (from a security standpoint) is that no one OS is dominant," said Perry. As a result, hackers get more bang for the buck targeting the homogenous PC market, where 90% of computers run Windows.

But with mobile devices becoming ubiquitous in the workforce, many believe it's only a matter of time before they become the primary target for malware, phishing schemes, and social engineering attacks. That means enterprises need to start developing comprehensive mobile security practices and policies now.

Panelist Jay Barbour, an advisor at RIM's Blackberry Security Group, said there are a number of steps IT departments can take to enhance mobile security. One major point of vulnerability is user-downloaded apps that trick individuals into giving away sensitive information.

"All you need is a bit of social engineering and the data is gone," said Barbour.

Downloads can also contain exploits that target corporate networks. To counter that, enterprises should "sandbox" non-business apps so they can only get to the Web and not to the network, he said.

Other steps enterprises can take to thwart mobile attacks include employing hardware-based code verification to prevent OS compromises, tamper resistant hardware, and denying full admin privileges to end users.

"Users are always going to make critical mistakes," said Barbour.

Finally, enterprises need to fully educate employees on the consequences of data loss—both to the organization and to their careers—and the fact that it's their responsibility to maintain physical control over their smartphones.

"The biggest risk is still the lost device," said panelist Ryan Naraine, senior security evangelist at Kaspersky Lab. "And that becomes the CIOs problem."