By Judy Mottl
While smartphones are not yet plagued with the malware and virus barrage hitting desktop and portable computer users, strong security is a requirement given increasing dependence and data sharing.
Research firm IDC predicts the number of converged mobile devices will spike from the 151.6 million last year to 334.2 million by 2013 and increasing reliance on business and personal data means a device loss or theft will pose even greater threat for users and companies.
Just consider the fact that New York taxicab passengers left 31,544 mobile phones and 2,752 handheld devices (including laptops and memory sticks) in a cab in a six-month period during 2008, according to a Credant Technologies report.
Yet many companies are only employing basic handset protection to ensure that lost or stolen handsets don't pose an information breach.
An Infonetics Research report this Spring noted that nearly half of big organizations are relying solely on security provided by a smartphone's operating system. That means even strong security platforms, such as Research in Motion's BlackBerry system, aren't providing full protection when it comes to online threats.
"All it will take is one well-publicized attack to drive the need for immediate spending on smartphone security, possibly even beyond the increased spending our respondents are planning already," wrote report author Jeff Wilson, Infonetics principal analyst of network security.
While Wilson notes viruses are not a major smartphone issue yet, it's just a matter of time before mobile handsets become a hacker's primary target due to valuable data.
"Hackers haven't targeted smartphones very much, but they will. The bigger issue is data loss due to lost phones or compromised removable storage in phones," Wilson told CIOZone.com.
"These devices have large drives and the ability to support microSD storage cards, so a corporate user can store a lot of data on their phone. Companies making investments in smartphone security today are looking into solving the data at rest problem first," he adds.
For CIOs who don't want to explain how proprietary data has gone missing from a handset, experts offer up some tips.
The first is developing a security policy specifically for smartphones that aligns with other IT security processes.
"Then you need to have a strategy for controlling devices; what will you do if a device is lost or stolen, or when a user loses their removable memory card," advises Wilson.
IT organizations should also aim to standardize on smartphone platforms to make security easier to manage security-wise he added.
"This can be hard," acknowledges Wilson, "as users often bring their own devices to the table," noting the proliferation of Apple's iPhone in the corporate environment.
"Most IT shops have no control over iPhones," he explains.
The second step, after policy making, is to devise a response plan for when a mobile virus does hit.
"Viruses are coming so now is the time to figure out what you will do when it's time to invest in malware clients for smartphones so when there's an issue (large well publicized attack) you can react quickly," says Wilson.
Companies that are boosting mobile handset protection are using a variety of approaches according to the Infonetics report.
Some are deploying centralized management y and others are using a smartphone security as a services approach.
One IT consultant recommends making sure even the basics are in place as well and devising improved ways to lock-down smartphones.
"One requirement is better ways of fielding locked down smartphones that prevent the user from doing sloppy things like carrying a BlackBerry without setting a password," says David Carr of Carr Communications.
Carr notes that security focused organizations will likely want to be able to stop employees from installing apps without IT approval.
"That kind of goes against what people are learning to love about smartphones. But if people want to load games so their kids can shut up and amuse themselves when the family goes out to eat, those employees can buy their own phones," he told CIOZone.com.
Many organizations, adds Carr, probably won't begrudge the CEO who wants to load a music player and some games on a BlackBerry.
"But I have to wonder how this will play out with the more conservative, security conscious organizations, who worry about the corporate data (starting with email at a minimum) also flowing through these devices," he says.
Jeff Wilson - Principal Analyst, Network Security: Infonetics Research, Inc.
Infonetics smartphone security study
David Carr comment on CIOZone in discussions
IDC report cited -- IDC, Worldwide Converged Mobile Device 2009-2013 Forecast and Analysis, Doc # 217210, March/2009
Only registered users can write comments.
Please login or register.