Mobile security needs balancing act
Around 90% of organisations have restrictive security measures on mobile devices; while10% of mobile business users have little to no security, according to Research In Motion (RIM).
Sinisha Patkovic, director of BlackBerry Security at RIM, will speak at the ITWeb Security Summit 2011 to be held from 10 to 12 May at the Sandton Convention Centre in Johannesburg.
According to Patkovic, the business risks of an unsecured device falling into the wrong hands as a result of theft or loss can be enormous.
“The consequences may include public embarrassment and bad press, theft of sensitive financial and customer data or intellectual property, legal trouble, and strained relationships with customers,” he notes.
He adds: “Like any computing device, mobile devices may fall prey to malware. Protecting any computer system from malicious programs such as viruses, Trojans, worms and spyware can be accomplished through detection and containment.
“However, detecting malware on a smartphone is difficult because of constraints such as limited processing power, battery capacity and storage space to cater for traditional anti-virus software with large signature databases.”
Patkovic says the answer lies in creating a balance of security, where securing the mobile device is not too strict but not too open either.
Often, due to a fear of the unknown and mobility not being completely understood within the organisation, all features and functions get locked down, he says.
“The assumption may also be made that security on a smartphone is the same as a PC, or the administrators will follow a security checklist without looking objectively at the security risks that are being addressed.
“This type of overly cautious approach is characterised by the requirement for very long and complex passwords, very short security timeouts, access to e-mail but little else and a ban on applications.”
In contrast to this approach, Patkovic cautions that too little security stems from IT administrators looking for the path of least resistance usually as a result of ignoring security questions.
“Users end up with no password protection at all, and free access to install any applications they wish, with no controls.
“Both scenarios are far from ideal, but often both policies typically get deployed within one organisation.”
The BlackBerry PlayBook, which has attracted a lot of attention due to certain missing elements, such as e-mail capabilities, is claimed to clamp down on security vulnerabilities.
Patkovic says: “The BlackBerry PlayBook will allow organisations to leverage the security inherent in the BlackBerry solution. When paired through a secure, wireless Bluetooth connection, users can see and interact with information already on their BlackBerry device in real-time.
“But business information is removed once the secure connection is broken. Data cannot be compromised and copied or pasted into other applications not approved by the enterprise.”
Jayson Reilly, senior product manager for security at Symantec, points out that “it's not so much the tablet devices themselves that we should be worried about, but rather the applications running on the hardware.
“The ability to write code into an application and then repost the app with malware code embedded is the real risk. It's the embedded code that seeks out personal information to potentially exploit mobile users.”
He adds: “Smartphones have the ability to hold gigabytes of data and in so doing, critical information about your organisation could potentially fall in the hands of the wrong people or become general knowledge, as we have seen in the prime example of WikiLeaks.
“It can cause major challenges for the business; mostly related to trade secrets affecting share prices and ultimately determine the future of the company in severe cases.”
Reilly believes Android's popularity, coupled with the openness of its code, has made it the most vulnerable operating system.
“We also believe Google are taking steps to rectify the challenges of securing application moving forward which is encouraging for its users.”
ITWeb's Security Summit 2011 More information about the ITWeb's Security Summit 2011, which takes place from 10-12 May 2011, at the Sandton Convention Centre, is available online here.