October 23, 2012

How Smartphones Threaten Business Security: Coming to Grips with the Facts

Unfortunately, smartphone users are exposing their employers to security threats in a major way, and faster than anyone imagined, which has grave implications for businesses—including law firms. In the scramble to respond, here are things that you and your firm should know.

The trade press is consistently reporting that concerns about smartphones are outrunning anxieties about cloud computing, which has been a major worry for security specialists for several years. So, are there ways to control the use of smartphones and reduce the security concerns? Sure—and they are usually employed by large-scale enterprises. But are small businesses using them? Almost invariably the answer is no.

The time has come for all businesses to address this thorny issue. To begin, you need to know where the biggest concerns lay.

Levels of Security within the Devices
Most analysts agree that, among smartphones, the BlackBerry and the Windows Mobile devices provide the best inherent level of security. The BlackBerry is considered especially powerful because it not only comes with remote data wiping capability but also provides confirmation of remote wiping, which could be critical in the event of a data breach.

For other devices, or for companies that are supporting multiple smartphone models, management software from vendors such as Credant Technologies, Good Technology, Sybase, Trust Digital, Trend Micro and MobileIron, among others, can be a big help. These platforms offer centralized control of several key things:

  • Password management (i.e., complexity and history)

  • Authentication authorization

  • Strong encryption of the device and inserted memory cards, if available

  • Inactivity timeouts, in which users are logged out of an application session after a specified period of inactivity (often 5 to 10 minutes) and are prompted for a password when they next resume activity

  • On-demand remote wiping

  • Authorized applications that can be installed to the phone

  • Features access (e.g., disabling use of the camera for pictures or videos)

  • Automatic wiping if a device is lost or stolen, or if the user (or someone in possession of the user’s phone) enters the authentication credentials incorrectly a specified number of times

As some wags have noted, even plastered out of your gourd, you ought to be able to get the password right in 10 tries.

In contrast to the BlackBerry, the iPhone is considered vulnerable because, if the SIM card is removed, the phone cannot receive a remote wipe command and it is child’s play to bypass the configured PIN. We thought Apple had resolved the PIN bypass problem with the iPhone 4, but German researchers recently demonstrated the ability to extract stored passwords from a PIN-protected encrypted iOS 4.2 device in six minutes with publicly available tools.

But, even with the PIN bypass issues, the iPhone is still considered safer with respect to malware than the Android smartphones are. According to a recent report by Trend Micro, Google’s Android operating system for mobile devices is the most vulnerable to hackers and malware. To quote Steve Chang, chair of Trend Micro: “Android is open-source, which means the hacker can also understand the underlying architecture and source code.” Obviously, this understanding gives hackers a serious advantage when contemplating mischief.

It is critical, no matter what platform is used, that users cannot disable or significantly modify any of the security features, since you can bet the mortgage that they’ll try.

Efforts to Rein in Smartphone Usage
Having said all of that, none of the possibilities for tightening up smartphone security will work if no one takes the time to implement the measures needed.

Employees have been anarchists online for quite a while, visiting sites forbidden by policy (unless it’s technologically impossible); streaming music and videos with seeming abandon, again often in violation of policy; and choosing not to employ passwords to access their smartphones whenever their firm’s security permits that option.

But, of course, not all problems can be laid entirely at the feet of employees. The recent rise of malware for smartphones has become an alarming phenomenon. Just two years ago, there were only 400 documented pieces of malware for phones (versus millions for computers). Now it appears that two years ago was really “the good old days” of smartphone security.

The simple fact is that pretty much any device with a browser and access to the Internet is at risk. Merely clicking on a link or visiting a Web site via your smartphone could result in you unknowingly installing malware that has the potential of gathering data and transmitting it to another location without the user’s knowledge. Some would say, “I’m not worried. I don’t store any confidential client or personal data on my phone.” Really—what about e-mail? Primarily, smartphones are used for application usage and e-mail access. If you have an infected phone, just opening an e-mail message could mean sending its contents to another person.

Because of some of the security deficiencies noted here, security firm McAfee has predicted that iPhones and Androids will be major targets for cybercriminals in 2011. McAfee further predicts that the cybervillains of the world will begin setting up botnets for Apple devices to distribute malware and launch cyberattacks. The bad guys are also expected to begin developing trojans specific to those devices. In addition, geolocation features in social media sites, which are also available on smartphones, will further compound exposure to cybercriminals, according to McAfee (www.mcafee.com/us.macafee-labs.aspx).

As a consequence of it all, to the extent that people don’t use their smartphones securely, they will make themselves targets of the bad guys and potentially expose their employers’ data, however innocently.

Mind you, these technologies are darn useful, as some very major players have discovered. But there remains considerable tension between those who are devoted to their incredibly slick devices and those who are responsible for information security. It’s not a question of whether cybercriminals will steal data from businesses with unsecured mobile devices—it’s just a question of how much and when it will happen.

Additional Layers in the Situation
Another component of the problem is the smartphone manufacturer. Already, Apple has been sued for allegedly allowing iPhone and iPad personal data to be sold to advertising networks. Geolocation data could also be sold. And some experts have pointed out that Google may be an even bigger problem than Apple given the amount of personal data, including geolocation data, that Google collects.

Social media is also a player here, since many people reveal what devices and applications they use during social media exchanges, potentially making themselves victims of attacks targeted to those particular devices.

What businesses need to do to remain safe is to standardize the apps that may be downloaded to company phones and to use technology to prohibit non-company phones from connecting to the network. Is that likely to be popular with people? No. And we’re not likely to see this move adopted at the small firm level anytime soon.

But the truth is that once you’re behind the firm’s firewall, it is both the right and duty of those in charge of security to impose reasonable controls. Where this gets especially dicey is when the employees own the phones they use for work but the firm attempts to exert control over their use. It is quite likely that such attempts will result in an angry backlash from those who feel it is their right to do what they like with their smartphones.

The policy makers tend to fall behind when it comes to smartphones, too. Many firms have policies forbidding the transfer of sensitive data to smartphones but they tend to neglect certain things. What about taking photos at work or recording a firm meeting? Does the policy explicitly cover both personal phones and firm-owed devices? (C’mon, how many times have you seen someone with a company phone in their left pocket and a personal phone in their right pocket?) And even if there are adequate policies in place, will the employee conform to them?

The Rising Dawn of Alertness
Things are happening very fast out there. Witness one recent study of 300 companies in the United States and Europe done by Good Technology Inc., a vendor of mobile security and management tools. Nearly 80 percent of the respondents reported an increase in the number of employees who wanted to bring their own devices into the workplace in the past 6 to 12 months—and 28 percent reported a data breach because of the use of an unauthorized device.

And yet companies have been slow to recognize the security threats presented by smartphones, even though their own lawyers are dutifully explaining to them that they are liable in the event that those smartphones cause a data breach. This awareness is now dawning—and rapidly—so expect to see a whole lot of scrambling as businesses of all types attempt to come to grips with this new security threat.