Protecting Smartphones from the Latest Mobile Threats

By Tom Schmidt

Today, more and more users rely on smartphones and PDAs for business transactions. Yankee Group research indicates that the number of enterprise mobile data users will increase to over 269 million by 2010, representing a 19.8% Compound Annual Growth Rate (CAGR). But while these devices provide a terrific boost in productivity and ease of use, it’s important to ask this question: How confident are users that their devices are safeguarded from the latest mobile threats?

While it’s true that the threats to smart devices are still relatively rare compared to those targeting PCs, these smart devices are the next targets of hackers. As a matter of fact, recent research has found that threats such as spam and phishing are increasingly “going mobile.”

It’s not hard to see why.

Users of mobile devices typically perceive messages received by SMS as being more personal than those received by e-mail on a desktop computer. (SMS, or short messaging service, is used for sending short text messages to mobile phones and other mobile text devices.) And, since the threats against these devices have been rare so far, users are more likely to trust those messages and to act on them.

A 2007 study commissioned in part by the National Cyber Security Alliance appears to bear that out. The study was based on interviews with 700 mobile workers in the United States, United Kingdom, Germany, China, India, South Korea, and Singapore. Among the findings: 73% of the mobile workers said they aren’t always aware of security threats and best practices when working on the go. Nearly 30% of them admitted that they “hardly ever” consider security risks and proper behavior.

A Perfect Storm?
Some industry observers have gone so far as to say that there’s a “perfect storm” brewing in the area of mobile security as a result of a number of key factors: 

• Adoption rates for smartphones are on the rise Researchers at Gartner predict that sometime in 2008, smartphones will out-ship PCs. Fellow researcher IDC, meanwhile, reports that by 2009, the number of mobile workers in the United States is expected to reach more than 70 percent of the country's total workforce.

• The technical capabilities of smartphones are catching up to PCs at a rapid rate E-mail, instant messaging, online banking, online shopping and Web surfing are all possible.

Research shows that since 2004, the number of threats targeting smart devices has doubled every six months. Because of these developments, users are recommended to secure their smart devices in the same way that they secure a laptop or PC. At a minimum this means they need

• Antivirus to provide protection against mobile threats (while having negligible impact on the smartphone).

• Anti-spam for SMS to eliminate unwanted spam messages that may also contain viruses, spyware and other malware.

• A firewall to control inbound and outbound network traffic on the mobile device.

But mobile devices require protection that extends much further and addresses today’s unique threat landscape. That’s why organizations should look for solutions that include:

• Loss mitigation technologies, which encrypt data on the device and memory cards in case the device is lost or stolen. A file activity log helps administrators determine if confidential files have been accessed, and a data wipe tool erases all data after a maximum number of consecutive failed login attempts.

• Phone feature control, which allows administrators to enable and disable certain device features, such as Bluetooth, Wi-Fi, and device synching. This limits security vulnerabilities and potential attack vectors by providing access only to those features required for business.

• Mobile VPN, which enables enterprise customers to connect to corporate networks through secure IPSec VPN tunnels in order to protect sensitive data and interactions.

• Network Access Control, which enables IT administrators to ensure that only secure, policy-compliant devices can access the corporate network.

• Tamper protection, which verifies that the device’s image and security applications have not been tampered with or altered before allowing network access.

• Enterprise management, which provides a management console for IT administrators with customizable security policies and reporting.

This kind of layered security not only mitigates the unique security risks of mobile devices but enables companies to more easily and cost-effectively comply with internal security policies and external regulations.

Mobile devices such as smartphones have become a fact of enterprise life. Today’s global workforce increasingly uses a wide range of these devices -- which are actually more of a computer than a phone -- to access sensitive corporate data over insecure public Wi-Fi and home networks. It should come as no surprise, then, that malware authors and criminals are turning their attention to these devices.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.