The mobile enterprise world for years has been rife with talk of Trojan horses, data-soiling worms and other Internet-age nasties. For the time being, though, the biggest threat to mobile security is the user.
Security technology vendors have long tried to plug their wares by hyping — or over-hyping — threats to businesses and consumers. A Silicon Valley developer earlier this year ominously warned of a new “malicious piece of software” that targeted Symbian S60 devices — despite the fact that the worm apparently infected only a handful of devices from a lone Chinese operator. Another firm recently claimed that “three-quarters of mobile-phone users are aware that malware can infect a mobile device via Bluetooth” but don’t have security installed on their handsets.
The human factor
Such reports make for good headlines, and they effectively raise awareness — or, at least, stoke fears — among mobile users and I.T. managers. McAfee Inc., a longtime player in PC security, claims in its 2008 mobile report that “more than 86% of users have at least some level of concern relating to the security of their mobile device,” despite the fact that a mere 2.1% of respondents reported experiencing a virus on their phones.
So how big a threat are the mobile bogeymen hiding under the bed? Not nearly as scary as the business users who carry the handsets. Because when it comes to protecting sensitive data on mobile phones, human behavior is far more dangerous than any technological factor.
“We think the biggest security risk for a cellphone is its being lost. Others will argue that it’s viruses, but we don’t believe that,” said Nick Magliato, CEO of mobile security outfit Trust Digital. “I don’t believe there’s going to be this widespread virus outbreak that will destroy cellphones, but a lost SD card will happen every day.”
Indeed, smartphone users — who, presumably, have more sensitive information on their handsets than feature-phone users — are 40% more likely to lose their devices, according to an August 2007 study from In-Stat. The market research firm found that many smartphone users refuse to accept even the most basic security policies, and I.T. departments are often all too willing to allow users to determine the content and applications they use on their phones.
Blurred usage
In-Stat found that the world of wireless communications is about as secure as its fixed-line counterpart. The study echoed a recent report from Cisco Systems Inc. and the National Cyber Security Alliance that indicated more than one-fourth of the 700 employees polled conceded they “hardly ever” consider the security risks and “proper behavior.” (InsightExpress conducted the study, which was commissioned in part by Cisco — which, of course, peddles mobile security solutions.) That kind of inattentiveness might not be a problem if companies controlled their wireless communications more aggressively. But the line between personal and enterprise communications continues to blur in mobile as multimedia-friendly devices come to market, and employees are increasingly looking to use high-tech gadgets like Apple Inc.’s iPhone for both business and pleasure.
InStat’s study found that roughly half the devices being used for business are bought by the company, and while one-fourth of U.S. enterprises are taking more control of their mobile communications, nearly as many are moving the other direction. So employees tend to think of mobile phones as “theirs” — not the company’s — and often neglect to use basic safeguards such as passwords, or to call their I.T. departments when phones are at risk.
Greater capabilities, greater risk
Those concerns are likely to grow as smartphones get sexier and networks become more open. Initiatives such as Google Inc.’s and Verizon Wireless’s move to open its network are likely to spawn a host of new devices that support both complex business applications and eye-catching multimedia content from a host of players including third-party developers.
So it’s up to network operators and their corporate customers to take control of enterprise communications systems, In-Stat analyst Bill Hughes urged. Because the biggest pitfall in mobile enterprise security isn’t technological — it’s the end user.
“The first step for organizations to get in front of mobile security is to assume corporate liability for mobile communications,” Hughes wrote. “As long as users are left to make network decisions, the solutions will be the most expedient or least expensive, not necessarily the most secure. If wireless carriers fail to make this case and acquiesce in letting corporate customers pursue individual liability as an acceptable option for business use, it seems inevitable that security breaches will become more common.”
