While the range and variety of IT security defences for portable computers – that’s netbooks and laptops to most people – is excellent, and able to cater for all budgets and types of user, it should be apparent to any security observer that the same cannot be said for smartphones and tablet computers.
With 45 million iPads already having been sold, and with the prospect of Android and BlackBerry tablets also selling in their millions, it’s clear that IT security professionals working within companies of all sizes have a problem on their hands. And this is before we even begin to talk about securing the rising numbers of smartphones in the business workplace.
With most business users toting one or more mobile device with a variety of email, documents and contact details in their memories, it should be clear that smartphones and tablet computers should be afforded the same levels of security and protection as the laptops and netbooks in circulation.
And the lines between portable computers and mobile devices such as smartphones and tablets are becoming blurred. Toshiba already has an Android-based netbook released, and several vendors – notably Acer and Lenovo – have laptops running Windows and Android coming down the technology turnpike this summer.
The pressing question facing the hard-pressed IT security manager is how to get the mobile security focus back on track in the face of a paucity of tablet and smartphone-specific security offerings and a general apathy among corporate users?
According to a just-released major report from the CNCCS – Spain’s national cybersecurity advisory council – a general lack of security awareness among mobile users and their general carelessness are the two main risk factors for smartphones in business.
The conclusions of the June 2011 report (http://bit.ly/kk2x4T) are that, unlike the previous generations of mobiles, which are, at worst, susceptible to local Bluetooth hijacking, today’s smartphones are subject to the same risks as PCs.
New attack vectors, says the report, will increasingly be exploited by fraudsters as online banking services use these devices as second authentication factors given the current convergence between PCs and mobile phones.
Against this backdrop, the research recommends that users take all necessary precautions when opening email messages, SMS attachments or clicking links, the latter of which is an entry point for the latest Zeus attacks.
According to the report, users should also be wary of any files, links or numbers received from unsolicited email or SMS messages, and avoid using untrusted Wi-Fi networks. Most notable of all is the recommendation that firms should take smartphones into account when establishing their corporate security policies.
The CNCCS report confirms many of the findings of Origin Storage’s survey of IT security professionals at April’s Infosecurity Europe show, which revealed that 41% of IT professionals are carrying sensitive information on their smartphones.
Against a backdrop of 19% of respondents revealing their employers had suffered a breach as a result of a portable device going missing, and more than half of those respondents revealing that the portable device was not encrypted, it is clear that something has to be done.
What was interesting about the results of the survey was that 70% of organisations had made data encryption mandatory in their businesses, suggesting that many users of portable devices are breaking their own firm’s security policy rules in their day-to-day business.
This apathy also perhaps explains the fact that 37% of respondents admitted that between four-fifths and all of their sensitive data stored on their portable devices was unprotected. It’s interesting to note that this proves the case that we are not just dealing with a few files copied to a portable device in a hurry here, perhaps by an employee who is late for an off-site meeting – this is a failing in corporate security policies and their implementation.
So what is the solution to the general apathy surrounding the use of portable devices, and especially Internet-connected devices such as tablet computers and smartphones? User education, while desirable, plainly isn’t working, as most corporate users of technology are probably aware of the security risks posed by their laptop computer.
This understanding has been driven by years of discussion and education by all parts of the IT industry, not least by the resellers and systems integrators that supply this type of kit to most businesses.
Unfortunately for corporate portable device users everywhere, only a handful of those same resellers and systems integrators sell tablet computers into the business environment, while most smartphones are sold to companies through cellcos or their dealers.
And, as any mobile user will attest, security is rarely on the agenda of the dealers and cellular networks that are busy promoting and selling handsets and mobile phone contracts. It’s a non-starter.
It’s against this backdrop that we are left with the stark reality that it will probably take a series of major corporate blunders involving sensitive data lost as the result of a lapse of security in a tablet computer or smartphone, and for the affected company’s reputation and share price to take a consequential battering.
There is nothing like a share price dip of 8-10% to focus the attentions of a CEO and CFO, and so pressure the IT manager into deploying sound security solutions and practices to stop an incident from ever happening again.
The irony of this situation will not go unnoticed among those IT professionals whose experience dates back to the 1990s and a time when desktop and laptop security was in a similar evolutionary stage as mobile security is today.
And while today we have regulatory influences such as the Data Protection Act and the PCI DSS rules applying to any business that stores personally identifying information card transactions, the fact that the Information Commissioner’s Office has only rarely prosecuted an organization for a breach of the DPA means that the stick approach will not work.
So what about the carrot? That too, sadly, is also probably doomed to failure, so we are left with the need for governance and the tapping of hardware plus software resources to help enforce best practice in the mobile security arena.
Products such as Origin Storage’s one-terabyte version of its Data Locker secure encrypted hard drive and its range of encrypted hard drive kits – allowing computer users to installed a drive in their desktop and laptop machines that will encrypt data on-the-fly, and migrate their data from the old drive at the same time – have been well received, but we cannot rest on our laurels, as with the arrival of more and more advanced tablet computers and smartphones it is clear that on-device encryption has to be the way forward.
Supplemented by corporate policies that prohibit the user of mobile devices without encryption – and treating a breach of the rules as a disciplinary offence – it is possible to change the habits of UK PLC. The process will, however, take time.
Changing portable device user security behaviour is a task similar to steering an giant oil tanker – all changes of course need to be planned some way in advance, but once executed can be relied upon to take effect over a period of time.
Andy Cordial is the managing director of Origin Storage. He started his computer industry career in 1987 working for tape manufacturer Everex Systems. He then moved into computer distribution in 1989 and set-up his first computer company XL Distribution. XL merged with Datrontech in 1992 and Cordial was employed in the management team.
He saw Datrontech through flotation on the LSE then left to start Upgrade Options Plc in 1996. He sold Upgrade Options (MBO) in 2003 and invested in Origin Storage Ltd. Cordial helped build Origin Storage to a £5.2m business and saw it enter The Sunday Times Fast Track 100. He now owns 100% of Origin after successfully buying out his partner in 2009.
