Tuesday, January 19, 2010

Smartphones need smart security practices

Yes, it's 'blue and plays music,' but that cute smartphone is also a serious computer that must be secured
By Mary Brandel
January 18, 2010 06:00 AM ET

Computerworld - As vice president of IT at Windsor Foods in Houston, Stephan Henze has to stay one step ahead of the latest IT trends. That's why he's spending a lot of time thinking about securing and deploying smartphones enterprisewide. The company had only a few-dozen smartphones just a short time ago, but IT now manages about 100 of them, and Henze foresees substantial growth in the near future.

The task of securing smartphones keeps getting hairier, Henze says, while the company's need for mobile communications grows stronger, even on the shop floor, where maintenance engineers will soon receive automatic SMS alerts on their phones.

He's not sure he can continue to enforce the company policy of supporting only Windows Mobile-based phones, yet nonstandard devices will complicate his security efforts. He is well aware that for some people, a smartphone is a fashion statement. "With PCs, I was able to tell them we're not a Mac environment, but I'm not sure I can do that with phones down the road," he says.

Henze is among a growing number of IT and security leaders grappling with the challenge of securing these increasingly popular devices. The primary concern, of course, is the risk of exposing sensitive data if a phone or removable memory card is lost or stolen. Data can also be exposed if a phone is sold or sent in for repairs without its memory first being erased.

There's also the risk that VPN-connected devices could expose corporate networks to hacker and malware intrusions. And there's a growing potential for viruses to attack the phones themselves through SMS hacks and other exploits. "If I take your device and muck around with it, what if the VPN is set up on it?" asks Philippe Winthrop, an analyst at consultancy Strategy Analytics Inc. "It's a huge risk not being dealt with enough today."
10 smartphone security risks

Here's a look at 10 common smartphone security risks, with tips for dealing with them from Gartner analyst John Girard:

1. No configuration management plan.
Tip: Responsibility for managing smartphones should be given to the same staffers who provision and manage PCs.

2. No power-on password, or a weak password policy.
Tip: Several vendors' device management consoles allow you to configure password complexity rules and password reset questions and answers.

3. No inactivity timeout/auto-lock.
Tip: Timeout policies should be enforced over the air through your device management console, so that the enterprise can maintain near-real-time control.

4. No auto-destruct/data-wiping plans.
Tip: Two methods should be used: over-the-air commands and locally initiated wipes. The latter should occur after a password has been entered incorrectly a certain number of times or when a device has been off the network for a predefined amount of time.

5. No memory encryption rules.
Tip: Major enterprise smartphone operating systems provide settings for enforcing encryption.

(continues on next page)

Complicating matters, users are apt to view smartphones as their own personal gadgets, not something IT should control. "There's a deep underlying current of 'This is my mobile device,' " says John Girard, an analyst at Gartner Inc. A user will often see his smartphone as something that's "blue and plays music," not as an asset that needs to be secured, he says.

Smartphones' multimedia capabilities raise other concerns, Girard says. For instance, company policy might prohibit moving corporate documents to external media, but is there a policy that governs using a smartphone to take photographs in the office or record meetings?

Many companies try to take control by purchasing standard phones for employees -- a move that at least enables them to support just a single operating system. But even then, users may adhere to the standard only loosely, says Paul DeBeasi, an analyst at Burton Group. "I see employees who have the company phone in their left pocket and their personal phone in their right," he says.

Indeed, in a recent study of 300 companies in the U.S. and Europe by Good Technology Inc., a vendor of mobile security and management tools, nearly 80% of the respondents reported an increase in the number of employees who wanted to bring their own devices into the workplace in the past six to 12 months, and 28% reported a data breach because of an unauthorized device.

To view the whole article, select this URL. http://www.computerworld.com/s/article/345297/Smartphones_Need_Smart_Security