Protecting information on mobile devices
7th Feb 2013 | 08:00
Threats are growing more ominous with 'bring you own device'
Protecting information on mobile devices part 1
Protecting mobile devices and the data they hold in a 'bring your own device' world is a challenge.
Anti-malware and encryption technologies for PCs are still very much a work in progress for mobile devices, which also face attacks that do not exist for the standard business PC.
The most serious threat during 2013 may come from malicious and high risk Android apps. Online security specialist Trend Micro has predicted there will be 1 million such attacks in 2013, up from 350,000 in 2012.
Mobile malware threat
One major threat is the risk from mobile malware. This has increased dramatically in the past two years with tens of thousands of threats, according to David Emm, senior security researcher, Kaspersky Lab.
"Right now the most widespread threats are SMS trojans, advertising modules and exploits designed to gain root access to the smartphone. However, at the start of 2012 we also saw the emergence of the first mobile botnet, a clear indication that cybercriminals are paying more attention to mobile devices," he says.
"Then there is the risk of data loss from lost or stolen devices that contain sensitive business information or from conducting confidential transactions on insecure networks, for example public Wi-Fi hotspots."
Add to this the dangers of toll fraud, such as when malware is used to intercept premium rate SMS billing messages and payments, and phishing emails. The latter can be more effective on mobile devices as people respond more quickly and perhaps more thoughtlessly, while on the move.
Geolocation technology on mobile devices also poses a threat, as it can identify the user's movements.
Eric Maiwald Research Vice President at Gartner, says: "There are some cases where the mere fact that an individual has visited another location, taken a trip and talked to another company for example, might be exceedingly sensitive information. In that case geolocation is important.
"Countering it is very difficult, partially because the users often give up their location on purpose. You have seen it on Facebook where people are tagged at a location.
"If that is something the user wants to do, it is very difficult for the enterprise to counter it. At this point I don't know if technology is going to solve that problem."
Protecting information on mobile devices part 2
Many businesses are mandating password protection and software updates on mobile devices, but few have got as far as implementing anti-malware and anti-spyware as they would with laptops.
Maiwald says tools are available, but that until recently Apple rejected anything to do with anti-malware on its devices as they were seldom targeted.
There are more for Android and some companies urge employees to install some of the freeware anti-malware packages on their devices, but few are ready to deploy commercial grade anti-virus.
According to Maiwald there are lots of reasons businesses are not yet implementing anti-malware measure on mobile devices, including the fact that the technology is new, it impacts the performance of the device and is a cost that enterprises try to avoid.
In the meantime, businesses should look to enable passwords, educate users about malware on apps, and upgrade operating systems - bearing in mind mobile devices that are older than two years may not receive security updates and patching.
They also need to turn off discovery mode in Bluetooth, ban jailbroken phones from accessing company data or systems, and consider encryption and anti-malware, particularly on Android devices.
How to enforce all of this in a BYOD world? Most experts recommend a balance of technology and policy. Mobile device management (MDM) platforms, once the preserve of big business are now an option.
"MDM is out there for small and medium sized business, as software-as-a-service," says Bob Tarzey, analyst and director at Quocirca.
"There are a number of ways to enable BYOD, but perhaps the best is to only enable it as an access device, then the on-device security is a matter for the owner, as corporate security issues are handled centrally."
There are so-called container products already in the market, where email and company information is held inside an app on the device and the enterprises can remove the app and all the information without impacting the rest of the device. "I expect that in the next five years they will improve and we will see some additional mechanism that allows us to separate business information from personal," says Eric Maiwald.
Of course, there are other questions around information ownership and responsibility for protecting a device. What can the enterprise do if the employee leaves the company or if the device is no longer in use? What happens if a company needs to wipe data from a device remotely?
These issues call for policies and protocols across the business. See part 2, IT security protocols for flexible working.