Mobile devices expose networks to security threats
- — 27 February, 2007 14:20
The latest IT security threat plaguing the office is actually clipped to the belts and purses of a company's mobile workforce.
Wireless devices that can send and receive e-mail -- BlackBerries, Windows Mobile-based phones or other smart phones -- are emerging as serious corporate threats because they have become so advanced and widely used, yet are so thinly secured, that cybercriminals are targeting them as a path to corporate data, say security experts and vendors.
"There have been cases of viruses and other nasty things that can be done to mobile phones that have not really been serious yet, but they will be," says David Ferris, president of Ferris Research.
Mobile messaging threats come in a few flavors, according to David Champine, senior director of product marketing with security vendor Cloudmark. One is text-messaging spam, or quick Short Message Service (SMS) messages that mobile phone users receive directing them to a Web site where the sender is selling something, or in more sinister cases to a site that captures personal or financial information. This particularly annoying form of spam has been around for a few years, but hasn't been prevalent in the United States since text messaging is not as popular here as in Europe and Asia.
Much more menacing are the threats posed when employees access their corporate e-mail or other enterprise applications from a wireless device, Champine says. Because many mobile device users also check their Web-based mail and visit Web sites from these devices, which typically lack antivirus, antispam, Web filtering and other security software normally found on a PC, they are open to any threats lurking on the Internet and crossing e-mail connections, Champine explains.
Because an employee's mobile device -- often issued and approved by the IT department -- is open to such threats, so is the entire network when the employee connects to the company's Exchange server or enters data into a CRM application from the handset, he says.
"People trust these devices, they say 'I got it from my corporate IT guys, so it's got to be secure,' but attackers always look for the highest return from the least-known back door," Champine says.
Attackers also are preying directly on mobile service providers' networks.
McAfee, which makes mobile security software for companies and mobile operators that protects cell phones from viruses, Trojans and other threats, earlier this month released findings from a worldwide study it commissioned of 200 mobile operators. Of the respondents, 83 percent said their networks have been infected by threats that affect the mobile devices that connect to them.
Respondents also said the primary result these threats have had on their business is a decrease in customer trust and therefore satisfaction -- which can be a big issue in the mobile industry where customers will quickly jump to a competitor -- and network performance.
Cloudmark sells a version of its Authority e-mail security software for mobile operators that helps protect their SMS and e-mail networks from threats. But because most mobile device users open themselves up to unprotected Internet use, securing the service providers' networks won't solve the problem. IT managers should not let mobile users access their Web-based mail accounts from the same devices they access corporate resources, Champine says, and mobile device operating systems should be set for maximum security.
But there's a price to pay for greater mobile security. Mobile workers will no doubt grumble if they have to carry a personal phone for Web e-mail access as well as their corporate device, he says. And IT departments are likely to limit the amount of corporate data a mobile device can access, for fear of intrusion.