Questions & Answers

Gartner recently revealed that global sales of smartphones have increased by 49% in the first quarter of 2010. With more people than ever before using smartphones, the risk of losing company data due to loss or theft of a device is a real worry. This is particularly true for SMEs, which are less likely to have the IT expertise to hand in such situations. What is the simplest way for a SME to protect its mobile data? Is the rise in smartphone numbers going to lead to a higher number of mobile security disasters in the press over the next year?

Howard Pinto, Vodafone UK head of security:

As the use of smartphones increases, so does their business potential; better workflow efficiency, better customer satisfaction, not to mention productivity gains and reduced real estate costs. Gartner predicts they’ll become the preferred mobile working device, overtaking the laptop, within three years.

But as organisations issue their workforce with smartphones, it is vital security is not overlooked. People lose phones all the time; phone users are 15 times more likely to lose a smartphone than a laptop (Symantec Survey 2009). In addition, smartphones do not operate on one standard platform, so it is important that security for these devices addresses the varying security requirements of all platforms.

Arguably any organisation would never give employees a laptop without being confident it is fit for purpose and secure, but smartphone security is still often neglected.

To help SMEs mitigate the growing risk of data leaks and digital threats, here are our top five tips to consider when designing the smartphone security strategy: A holistic approach is best. Businesses need to consider their existing security policy and what company information the policy seeks to protect when looking at how to secure their business networks, data and devices.This approach will help to prevent malware attacking corporate systems and the possibility of information leakage which could compromise corporate data.

Steven van Zanen, Acision head of mobile broadband

Plan for diverse platforms. Unlike the fairly homogenous PC world, there’s significant heterogeneity in smartphone platforms. One size security solutions may not fit all, so flexibility and planning is key, as well as awareness of how dynamic the smartphone space is, with new products constantly emerging.

Automate your security policies. Employees often use their own mobile devices for work which may increase the risk of security breaches. Automating security policies and software updates will ensure everyone complies with a business’ corporate security standards.

Balance productivity with control. Employees want to be free to work in a way that suits them best. So, it’s vital to design a strategy that balances security and control with the freedom to work in progressive and productive ways.

Manage the cultural shift to mobile working. Educating employees about sensible and secure device use will help reduce expensive device and data losses, especially for businesses who are just starting the move to mobile working.

Vodafone partners with industry leading security vendors to offer security testing and a complete portfolio of managed smartphone security solutions, providing our customers with a single, real time view of their security status including: Protection from malware, spyware and phishing attacks with the Vodafone Security software. This can be managed centrally to make sure devices stay protected from the latest threats to smartphones; Full Disk Encryption protecting business and personal information including storage cards. Pointsec Mobile Encryption provides a unique and consistent FIPS 140-2 certified solution across the Vodafone Mobile Exchange portfolio, with all policy managed centrally within Vodafone’s device management platform; and Vodafone Device Management service manages the removal of unauthorised applications, remote lock and wipe and control policies such as Bluetooth lockout.

Mike Jones, Symantec principal product marketing manager for security:

The growth in smartphones effectively means that more and more business users have the ability to carry around a substantial proportion of the usually office-bound information in their pockets. If this got into the wrong hands it could be hugely damaging. Therefore businesses of all sizes need to ensure that highly valuable data stored on the device cannot be accessed or intercepted by a third party.

It’s inevitable that with more smartphones on the market, there will be greater scope for data disasters, but simple common sense and a few straightforward measures can go a long way in mitigating the risks.

All companies should do the following: Ensure passcode lock is turned on so that a PIN number has to be entered to access the device; Enable ‘auto lock’ so that if the device is not used for a period of time a PIN number will be needed to use the device; Enable encryption measures (such as VPN links or secure sockets layer (SSL) technology) so that email is protected between the device and server; Turn on the ‘fraud warning’ within the browser settings (if available) to guard against being inadvertently sent to poisoned web sites. These can compromise both the device and the user.

Mike Jones

Anthony Keyworth, Orange director of product marketing:

One of the most simple and effective ways in which a SME is able to protect their mobile data is through a hosted device management service. This enables businesses to remotely push out security measures across all of their employee devices.

The measures include the ability to remotely lock or wipe a device of sensitive company information should it be lost or stolen, as well as remotely enforcing password policies. The system also has the capacity to raise the alarm to IT managers should an unauthorised application or other piece of software be downloaded onto a device.

In addition, having a hosted device management solution allows IT departments to keep their costs down and their productivity up, by managing the activity of mobile phones in their fleets. For example, they might choose to lock Bluetooth, games or camera functionality.

Device management as a service holds particular benefits for remote and flexible workers. This is because the service offers functionality such as being able to remotely enforce company security policies, push out new security patches, and even remotely diagnose faults to ensure employees out on the road have fully operating mobiles, without having to return to the office.

Anthony Keyworth

SME’s and businesses of all sizes can also take advantage of services such as hosted Managed VPNs, which encrypt the data being accessed over their networks, keeping it safe from the threats of hackers or thieves.

If we look at where mobile devices are today, the range and functionality of new handsets coming to market is quite astonishing. It’s not news that they’ve transformed the way business is done locally and globally, but I certainly believe that the best is yet to come. In order to take advantage of that, businesses need to make sure they’ve got their basic mobile data security policies established from the start.

Bob Sweetlove, HSC business manager:

Much of the smartphone growth can be attributed to consumer users using mainstream consumer internet accounts, but this is probably a valid issue and there must be a lot of concerned IT managers around the world pulling their hair out wondering how they can control all the mobile computing devices in the hands of their company’s employees.

They will often err on the side of caution and not permit company email to be pushed to private employee smartphones. They have had to deal with this issue with laptops for a few years, with a few high profile data losses from stolen notebooks being reported, but typically there are more employees walking around with company mobiles than laptops.

In the larger business community, solutions like BlackBerry BES provide significant functionality to central administrators who can control settings and lock down content and devices very effectively.

However, in the smaller business community where there is typically no employed IT manager, there is a real risk. Outsourcing may be an answer to some businesses with cloud computing solutions that also provide tools to protect data on smartphones and in effect provide an outsourced IT manager. Some of the responsibility lies with the provider of the IT and mobility solution to the small business communities.

Bob Sweetlove

Dealers need to work with their customers to ensure that they appreciate the vulnerability to their business data some of the latest smartphone solutions could create and offer secure protection within the set up deployed.

Keith Horsted, Gteq channel development director:

There are applications that can be downloaded onto smartphones that will allow you to control the data on the device and protect them against viruses, as well as tracking the device if it is stolen.

I would argue that having a handset stolen or lost is not the worst thing that can happen to a company in terms of mobile data security. The reason for this somewhat controversial statement is quite simply that there are applications that allow your conversations to be monitored and texts matched against your address book and viewed on line (such as flexispy), so where do we draw the line?

Like most security issue the weakest link is the human element; there is no mitigation against someone leaving their phone unattended or inadvertently sending information to the wrong person. Obviously there needs to be a balance between offering a useful service and locking it down so tightly that it becomes a business prevention system and that is entirely up to company involved.

Security is often cited as the reason why Blackberry is used in preference to the Windows Mobile option. This is still the case and Blackberry’s IT policies are very powerful (if used), although Microsoft would argue that they too have the ability to ‘fry’ a device if it is lost or stolen.

Keith Horsted

Good security policies will help prevent the majority of ‘accidental’ losses of data, but if you include voice as being a form of data you may need an additional deterrent such as call recording to reduce the risk of confidential disclosure.

Another option could be to host the mobile data service, as this will address the issue of data backup and data recovery, although it is difficult to sell, as you are usually pitching to person whose job may be put at risk (turkeys looking forward to Christmas).

There is no getting away from the fact that data security is a business decision that should be taken under advice and weighed against the cost and potential risk of losing data against the cost of protecting against such loss. One man’s protection is another man’s straight jacket; there is no easy answer, but education will help.