Smartphones are a weak link in security

Information Security Forum VP sounds warning

TODO alt text

Steve Durbin says that smartphones are posing one of the biggest risks to business's information security, and it's the smaller firms that are finding it hardest to cope with the threat.

The Global Vice President of the Information Security Forum (ISF), the international body on cyber security and information risk management, says the threats are increasing, and that companies need to adopt some appropriate management policies to keep themselves from becoming victims of the trend.

"We're seeing an increase in malicious software targeting the mobile environment," he says in an interview with TRPro. "There are millions of new variants of malware coming out every month. A lot of malware loaded into machines stays unfound for an average of eight or nine months.

"You have to be mindful of the fact that from a mobile environment, particularly Android, you could be susceptible."

Apple assurance

Durbin says that apps developed for Google's mobile operating system is more likely to pose a threat as it comes through an unregulated market. He has more confidence in iPhone apps as Apple works collaboratively with its developers and provides more quality assurance. Windows Phone is more of an unknown quantity, because the ISF has so far had little feedback on its use.

The problems are exacerbated by the lack of any simple security software for smartphones; and even if it was widely available he has doubts about how widely it would be used.

"There are two challenges with software, particularly on smartphones," he says. "One is that it slows down the device. They were designed as consumer devices and we're now using them as work products. It can also produce a battery drain.

Steve Durbin
Steve Durbin

"We are starting to see some developments from manufacturers; for example, BlackBerry now allows you to run two profiles on the phone, work and private. But there's always a reluctance on a consumer device to keep logging in; people expect them to be easy to use and that's part of the problem.

"The other is usability. Unless it's completely intuitive – and it's not going to be because you're creating something that sits on top of the device – people will find ways around it."

Small firm threat

The increasing use of mobile devices for work is making this an issue for an increasing number of companies, and Durbin points out that the small firms are unlikely to have security specialists, or even full-time IT staff, to help them deal with it.

"This will leave you exposed if you don't follow some relatively simple steps," he says.

His starting point is to think about how much information held by the company could be damaging if it fell into the wrong hands. In most cases this will not exceed 15-20%, but this is what needs the policies and procedures to ensure it is protected. Then look at the mobile devices.

"You need to think about the ownership of these things," he says. "Will you allow them to bring their own devices to connect to your systems, or will you bring them the tools to do that?

"If they bring their own devices you need some form of policy in place so people understand what they can and cannot do in terms of mixing private and work information. You will need an agreement on if they are storing information on the device you will be able to remotely wipe it if things go badly wrong; and you will need to decide the level of protection you will put on the devices. "

This comes with the need to define and communicate the policies, make them realistic, try to relate them to what people do outside of work, and if possible tie them to additional benefits.

But he fears that it's beyond the capabilities of many small companies, especially if it involves any significant spending. They may acknowledge the risk of losing information, but they will see more immediate benefits in spending money on equipment or services that support their day-to-day operations.

"That's the sort of decision small businesses have to make on a daily basis," he says. "Unless they are dealing with information that really has to be securely held they are going to go for the option that enables them to focus on their core business."

Durbin is more sanguine about cloud, despite an acknowledgement that it doesn't always come with a high level of security. He says that companies generally know that they get what they pay for, whether it's an inexpensive option with minimal safeguards or a full service in which the provider manages all aspects of the data security.

Wi-Fi usage

He is also quite relaxed about the use of public Wi-Fi, arguing that there are some people who have no choice but to make frequent use of the wireless available in cafés, hotels and airports.

"It comes back to thinking about the information you're transmitting, so what you can say is 'Don't access these particular corporate applications from Wi-Fi'," he says.

In all these cases the risk cannot be completely eliminated, and Durbin says the best approach is to set out guidelines for acceptable risk and ensure that everybody complies. And he winds up by reiterating his warnings about mobile technology.

"The most important point is think about the information you want to protect and use that as the starting point, rather than getting excited about everyone having a new iPhone or iPad."