Smartphones and enterprise security
By Ian Kilpatrick.
Smartphones are spreading throughout the business world. Their use is growing across organizations and at all levels within them.
According to Gartner , sales of mobile devices in the second quarter of 2011 grew 16.5 percent year-on-year. Smartphone sales grew 74 percent year-on-year and accounted for 25 percent of overall sales in the second quarter of 2011, up from 17 percent in the second quarter of 2010.
Not only are the numbers of smartphones growing, their versatility is increasing. Where staff used to carry laptops when they went out of the office, to retrieve email and use other applications on the move, they can now carry just a smartphone.
This potentially allows them to send and receive emails, use a variety of applications, link to the company network to access data and use network-based applications, access social networking sites, and carry out online e-commerce and banking transactions.
A smartphone raises key security issues, which many organizations have not fully realised yet or, if they have, they may not have taken appropriate measures to ensure network safety.
The biggest danger, of course, is that smartphones go missing. Many of us will have lost a mobile phone in the past or know someone who has. Research by getsafeonline shows that about one in five owners of smartphone devices can expect to lose or have them stolen at some point. Surveys show the level of phone loss in London taxis is at a world-leading, and fairly consistent, 10,000 per month. Yes, that’s right, 10,000 per month!
Smartphones are often used for both business and personal reasons and if they are lost, both sensitive company data and personal data stored on the phone may be exposed. Email exchanges could be seen. Personal data relating to online purchasing or banking might be viewed.
If the phone is connected via a VPN, company networks will be exposed to malware or could be hacked.
Smartphones are now at the stage that PCs were at around 1999. Many people didn’t think security was necessary then, hardly anyone had firewalls, but security concerns were beginning to be a focus. It’s a similar situation now with smartphones.
It doesn't take long for criminals to think of ways of stealing and using information fraudulently. Some security experts have pointed out that targeting smartphones could potentially be more profitable for criminals than aiming at computers.
With the rapid proliferation of smartphones and the very real security risks, organizations now need to factor smartphone use into their security policies and make sure they are managed centrally.
Smartphones have also extended the network boundary even further. Employees may use devices for both company and personal use, bringing dangers to the company network, in the same way that remote workers created new and different security issues for the IT department.
In addition, these devices cross the divide between voice and data, so that companies using them are taking a strategic direction into convergence, perhaps without realising it, and probably without planning for it. They are at the cutting edge of fixed and mobile convergence and users are only rarely required to connect over secure VPNs and even less required to use secure authentication to connect to the network
Fixed/mobile convergence creates other security and financial threats. Unsecured access to PBX systems (traditional and IP) exposes organisations to an increased risk of toll fraud, as well as risks such as DOS attacks, backdoor attacks on the data network, and call recording.
There are a number of basic security procedures which organizations and individuals can take to increase security.
- Use the PIN or passcode function to secure the phone. Don’t rely on the
- Install data wiping facilities so critical information can be destroyed if it’s thought the phone has fallen into the wrong hands. This might happen, if for example, a password is entered wrongly a certain number of times, or when a device has been off the network for a certain period of time.
- Employ time out policies, to prevent further use of the phone, if it is inactive for a certain period of time. This should be initiated from a central management console.
- Install GPS tracking so the phone can be located if stolen.
- Take a note of your International Mobile Equipment Identity number. The IMEI number is used by the GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing the network in that country. It’s easy to find on most phones by typing *#06# into the keypad.
- Take similar data leakage protection measures as with a PC.
Smartphones are an incredible tool for a whole range of people and their use will proliferate. However, smartphone security is lagging ten years behind the growth curve, especially as they are so easily lost or stolen.
Smartphones carry with them the risks of any computer on a network and at the same time cross the divide between voice and data, which brings security risks of its own. For an organization to remain secure, smartphones need to come within the sphere of the security policy, their use needs to be regulated and active steps should be taken to employ them securely.
Ian Kilpatrick is chairman of value added distributor Wick Hill Group plc, specialists in secure IP infrastructure solutions and convergence. Kilpatrick has been involved with the Group for 35 years. www.wickhill.com
•Date: 30th Sept 2011 • Region: World •Type: Article • Topic: ISM