Mobility

Five security risks introduced with smartphones in the enterprise

Scott Lowe discusses five smartphone security issues that should be at the top of every CIOs mind.

Sometimes, it's hard to identify the line between smartphone and human; the devices have become so ubiquitous and so visible that they often seem to be nothing more than an extension of flesh, an additional Borg-like appendage that assimilates the user's attention. This is apparent everywhere we go -- stores, the mall, restaurants, and even, unfortunately, behind the wheel. People text, tweet, talk, email, kill pigs, and get kicked off planes, all in the name of staying connected.

Although smartphones have affected our lives in many ways, there is one place that must be warier than most when it comes to embracing these culture-changing tools: The enterprise. Used without care or control, these mini-computers have the potential to wreak havoc and leave an organization at risk. In this article, I'll discuss five issues that should be at the top of every CIOs mind as the question of smartphones is bandied about.

Insider theft of information

Many of you probably know how Sgt. Bradley Manning was able to steal classified material and pass it on to Wikileaks. If you don't, here's how he did it: He carried rewritable CDs containing Lady Gaga songs and rewrote them with downloaded documents. During his workday, he "listened and lip-synced to Lady Gaga's 'Telephone' while exfiltratrating [sic] possibly the largest data spillage in American history."

That was accomplished with rewriteable CDs. Now, take a look at your smartphone. How much capacity does it have? 8 GB, 32 GB, 64 GB, or more? Does it have an SD card slot too? Just imagine how much data could be stored on that device in one visit. Getting document data on some devices is a bit harder than on others, but it's far from an impossible feat.

As mobile devices become more ubiquitous, organizations need to consider the ramifications for this kind of activity and apply organization risk management policies in ways that are appropriate. There really isn't any specific guidance here; it's specific to every organization.

New malware opportunities

Smartphones provide fertile ground for enterprising criminals and ne'er-do-wells intent on ruining someone's day. Earlier this year, ZDNet reported on the rising incidence of infection across smartphone platforms and provided some specific steps that users can take to protect themselves. Recently, CBS News ran a similar story.

Things aren't nearly as critical as they are in PC land, and with no clear de facto standard mobile operating system, it's a bit more difficult and somewhat less compelling to exploit mobile operating systems at present. I fully expect this to change in the coming years.

To mitigate, where appropriate, require users to run anti-malware applications on their mobile devices.

Additional wireless attack vectors

Although vendors generally patch security holes as they are identified, in the interim period, users remain at risk. Earlier this year, security researchers discovered a serious Android exploit: "The exploit is capable of reading and writing files from an Android's SD card or system partition as well as uploading user data over the internet."

Now, imagine that your organization doesn't yet have policies prohibiting sensitive information from being stored in unencrypted areas of a mobile device. This is just one example of ways that the mobility aspect of smartphones can work against them. Wireless devices generally have at least three different wireless access opportunities: 1) Cellular; 2) Wi-Fi; 3) BlueTooth. Any door can be opened by a person who is determined enough to do so.

To mitigate, ask users to disable certain wireless doors if they are not in use.

Loss of sensitive corporate data

This one is more common that malware infestations on corporate mobile devices. Smartphones are easy to lose and easy to steal. They're so portable that someone can simply grab it and go with the owner being none the wiser until it's too late. As people use these devices more as business tools, the risk of accidental exposure of sensitive information rises significantly. Even something as simply as synchronizing email with a smartphone increases the risk that data will make its way into the wrong hands.

Good corporate policy and tools to compartmentalize sensitive information should be considered as safeguards against this all-too-common threat.

Inability to appropriately control personal devices

In many places, people are bringing their personal devices to work and demanding that they be able to use them in place of corporate-provided services. Organizations that lack policies for handling these devices leave themselves at higher risk for not being able to take swift action when necessary. For example, are you allowed to simply remotely wipe a person's personal device if you believe that it has been compromised, that person has left the organization, or the device has been lost or stolen?

By implementing clear guidelines for what can and cannot be done with corporate information in regard to mobile devices, organizations can maintain the strict controls that are necessary to safeguard information. If users don't want to allow IT to wipe their personal devices, but that's what corporate policy requires in certain situations, then that user can be more easily denied the opportunity to use a personal device.

If you haven't already, now is the time to get mobile policies in place and make sure they're clear and well-communicated.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

3 comments
pyter
pyter

People are always the critical point in security. Today's IT vanguard can morph into IT nemesis tomorrow. Monitoring with instant alert and record for forensics seem to help

mark1408
mark1408

The insider theft danger was around long before the meteoric rise of the smartphone - first, as you say, it was CDs, then memory sticks. Our corporate AV (Sophos) has a data leakage prevention module which either monitors or blocks the transfer of certain file types or data types to removable media or email. We only use alert mode and I'm sure a determined data thief would find another way, but it's a useful line of monitoring and defence.