In the nearly 10 years since the revolutionary BlackBerry first hit the market, the use of mobile devices (smart phones) in the corporate environment has skyrocketed, and the transition from a deskbound to a mobile workforce appeared to occur almost seamlessly.
However, mobile devices equal mobile vulnerabilities. Behind the scenes in IT departments around the world, the changes of the last decade have been anything but seamless, as along with the release of mobile devices a host of new security concerns evolved.
Now that mobile devices ostensibly provide all of the functionality of a computer, they are open to the same threats as a computer, including hackers, viruses, Trojans and worms. This malware finds its way onto the mobile devices of unsuspecting users and from there can infect corporate networks when users innocently 'sync' mobile devices with office desktops and notebooks.
New security concerns
Beyond viruses and malware, the emergence of the mobile workforce poses other, more mundane security threats. While users are working on the move, a lot of crucial and oftentimes confidential information sits on the device, unsecured and not backed up. This information is at risk, as documents and emails compiled on the move are the only copy until the device is synchronised.
Data stored on mobile devices may also be susceptible to threat, as mobile networks such as WAP, Bluetooth and WiFi are not secure. Another problem with storing data on mobile devices is the issue of theft. If a mobile device is stolen, not only is the data stored on it lost to the user, it could also be hacked and fall into the wrong hands.
For these reasons it is essential to include mobile devices in the security model of a company, and also to make certain that steps are taken to safeguard data against threat. This includes securing the Virtual Private Network, implementing effective data encryption, and ensuring that the correct mobile device security products are installed.
Added to this, the Global Positioning (GPS) capability of many new devices means that the GPS signal emitted by the device can be used to triangulate the exact position of the person in possession of the device. While this may not be a problem for most, high profile individuals could be thus placed at risk.
A case in point is the ongoing debate surrounding US President Barack Obama and his BlackBerry. The potential for sensitive information to be leaked cannot be ignored, and the consequences of malware finding its way from an unsecured mobile network onto the data system of the White House could be catastrophic. Not to mention the fact that if the President's precise location could be easily discovered from his mobile device, he would be intensely vulnerable to those wishing to do him physical harm.
The Obama example serves to highlight the vulnerability of mobile devices, and the need for effective security. But while the idea of somebody being able to trace the position of another using a mobile device is worrying, viruses and data security are the more pressing issues for the majority of organisations.
The evidence of threats
Viruses that infect mobile devices may cause problems ranging from simple nuisance, such as replacing system fonts and changing device language, to malicious damage of applications. Dangers to data include viruses that corrupt information, copy and broadcast data over Bluetooth, and attacks that send out the IP address of the device and start remote communication.
These threats evidence a growing need to ensure that the corporate security policy incorporates mobile devices, can be easily adapted to meet the constantly changing security demands of technology, ensures that users logging into the network adhere to policy, and includes data backup and encryption tools.
At the end of the day, mobile device security is the responsibility of the company, not the users, and security policies must be pushed from the top levels down. While training and awareness may be beneficial for users, ultimately it is up to the organisation to ensure that is has the right policies and the correct software in place to deal with the security threats posed by mobile devices.
Fred Mitchell, Security Business Unit Manager, Drive Control Corporation