 |
 |
By Ian Kilpatrick, chairman Wick Hill Group.
Smartphone use is proliferating, but smartphones come with a range of security problems.
Principally, they are very easily lost. This is a problem when smartphones today may contain personal, financial and company confidential information.
Smartphones can also allow connection by the user onto the company network, presenting opportunities for unauthorised access, and all the havoc and financial loss that may cause. Not to mention the risk of a visit from the Information Commissioner’s Office (ICO), which has the power to fine organisations for data loss.
Security tips
There are a number of basic security procedures which organisations and individuals can take to increase security of their smartphones: Use the PIN or passcode function to secure the phone. Don’t rely on the default factory settings; Install data wiping facilities so critical information can be destroyed if it is thought the phone has fallen into the wrong hands. This might happen, if
for example, a password is entered wrongly a certain number of times, or when a device has been off the network for a certain period of time; Employ time-out policies to prevent further use of the phone, if it is inactive for a certain period of time. This should be initiated from a central management console; Install GPS tracking so the phone can be located if stolen; Install SIM watch. This reports the new number back to you if the SIM is removed and replaced; Take similar data leakage protection measures as with a PC.
On the latter, users should treat the phone like it’s a PC: Beware of phishing emails, don’t follow links you’re not sure of, don’t download anything suspect, recognise the risks of unsecured WiFi connections, etc; Stipulate that sensitive, critical information should be made available to users of smartphones on a ‘need to know’ basis; use two factor authentication (with challenge response) to validate access to the smartphone; encrypt sensitive data, as many smartphones and security suppliers provide facilities to enforce this.
There is often as much data on a smartphone as on a laptop, but a smartphone is more vulnerable to loss or theft.
Solutions
Commercial security solutions for smartphones are available from a number of vendors such as Sipera, Kaspersky Lab, CRYPTOCard and Check Point.
Kaspersky Lab’s Mobile Security 9, for example, helps users to safely browse the web and communicate via social networks. Features include inbuilt GPS to locate a lost or stolen smartphone, protection from malware and network attacks with real-time anti-malware scans, automatic updates and blocking of dangerous network connections.
Sipera has a comprehensive solution which recognises that smartphones are converged voice and data products. Features include automatic authentication into the enterprise telephony infrastructure for smartphones using VoIP over WiFi, 3G, 2G, GPRS or other data networks, so all security policies and rules can be applied to the smartphone.
Additionally, all communications to the smartphone with the Sipera solution can use the same strong encryption as the organisation’s other services accessed over non-secure public networks. And IT managers can include the management of smartphones in a single management console which controls security of all end points across the enterprise.
Conclusion
Smartphones are an incredible tool for executives on the move, needing to keep in touch with the office. Their use looks set to proliferate. However their security is lagging behind their growth, especially as they are so easily lost or stolen.
Smartphones carry with them the risks of any computer on a network and at the same time cross the divide between voice and data, which brings security risks of its own. For an organisation to remain secure, smartphones need to come within the sphere of the security policy, their use needs to be regulated and active steps should be taken to employ them securely.