The rise of the smartphone over the past few years has been a technology success story. An almost perfect storm of advancing materials science, chip set development, software innovation and social networking has fueled the progress in handset design and capability beyond that which could be imagined only a couple of decades ago. Having such tremendous computing power, alongside user’s private data and contacts makes a tempting target for criminals. It could be argued that the security industry has been slow in recognizing the threat to such devices so only now are we seeing products and services designed to improve smartphone security.
Very few businesses want their data to be less mobile, aside from those that have just gone through a major data loss incident and are hurriedly trying to bolt the doors after the data has gone. In fact many businesses seem to pride themselves on the mobility of their data, on the basis that their employees will be accessing work related data at all times of the day or night and will therefore be more productive. Whether employees are actually more productive is another discussion, but certainly the drive to mobilize data has resulted in the endpoint of most organization’s network being in the handbag or pocket of their employees.
One exciting part of data mobilization is the tidal wave of smartphones being used by businesses to access their data. But what are the particular security issues and opportunities that these smartphones present?
Of course data is more mobile than ever before. Few people pause to consider why we should automatically assume that all data should be made mobile. Very few computer security types are successful in stopping this demand, certainly outside a handful of top secret establishments. One of the first questions many a new employee will ask is how they can connect their smartphone to the data they use. After all the success of web sites such as salesforce.com is based on the fact that, like all cloud computing solutions, the data can be made available from anywhere. A young in age workforce knows nothing other than mobile computing.
Most businesses accept mobile computing and, during this inevitable embrace, need to decide how to best protect their data. After all, the smartphone is where it is happening.
Try to go into a phone shop and buy a phone that doesn’t, at least, have some “smart” features and you will have a problem. Some organizations that try and equip their workforce with phones that don’t have a camera for security reasons have a problem. Some manufacturers have woken up to this and are now producing basic phones, especially for the older generation that may need improved handset accessibility. Consider that the biggest growing group of Facebook users are the 35 year old plus, all of who will want to access their accounts long into the future. Even if the Facebook site isn’t around a successor will be as social networking appears to be deeply entrenched into so many people’s lives.
Smartphone hardware marches on relentlessly. Handsets are certainly getting more powerful, for example in 2010 LG announced the Optimus 2X with a dual core 1GHz processor. Research has shown that 2011 is the year when smartphone shipments will overtake PC shipments, and both PCs and smartphones lay neck and neck at around 400 million units each, per year. The amazing growth in these fantastically powerful devices presents us as security experts with a significant challenge.
On top of all their other concerns most CISOs are now having to worry about a number of smartphone security issues:
- Are my smartphones going to be infected with malware?
- Is my smartphone based data secure?
- Will my mobile voice traffic be secure?
- Can my smartphones be remotely managed?
There is no longer a discussion about whether these devices should be allowed, now the conversation is how they can be accommodated safely and securely. Ultimately the CISO is worried about risk to the business, and in particular how this new smartphone risk can be managed whilst at the same time the business productivity of users improved.
Cast one’s mind forward 20 years and it boggles at the depth and breadth of attacks our mobile phones will be subject to. In the meantime anyone that conducts sensitive business using a mobile phone should seriously consider implementing preventative measures sooner rather than later. As more and more people use their mobile phones to run their entire lives, attackers will focus their efforts on getting the information they need from these devices. In many respects attitudes towards mobile phone data security reflect those held 20 years ago towards the humble personal computer. Back then attacks were minimal, anti-malware was yet to become established and hacking was in its infancy. Now we are in a maelstrom of attacks against the PC using sophistication and scale we previously thought impossible. The smartphone is next on the list.
Nigel Stanley, Practice Leader Security, Bloor is speaking on “Can You Turn Mobile Devices To Your Advantage Or Are They The Next Big Security Hole?” in the keynote programme at Infosecurity Europe 2011.