In-Depth
Mobile Devices: Ready To Explode?
Mobile personal devices are very convenient, but often quite dangerous.
Nothing in business ever comes for free, particularly productivity gains. Consider
the recent influx of more powerful Windows-based smartphones and personal digital
assistants (PDAs). Using these compact devices, employees can effortlessly access
and download sensitive corporate data between sips of their morning coffee,
which is certainly a welcome convenience.
Once their work is done, though, these employees are effectively walking around
with ticking time bombs in their pockets waiting to explode. Many industry observers
predict that these bombs will cause major explosions in the coming months.
"There's no doubt that a large company will encounter a major security
breach because of employees' use of cell phones," says Jack Gold, president
of Northborough, Mass.-based market research firm Jack Gold & Associates.
"The only questions remaining are when will it happen and how much damage
will it do?"
To illustrate the potential vulnerabilities, look at the case of Nicolas Jacobsen,
a 22-year-old hacker who was able to use cellular network password security
loopholes to access about 400 T-Mobile customer accounts. Hacking through mobile
devices, criminals may be able to not only access individual cell phone account
information, but also sensitive information like customer account numbers and
payroll data. Such information is increasingly being stored on portable devices.
To Support and To Protect
Handheld devices present IT departments with a unique set of support challenges.
"Users view handhelds as personal devices and treat them that way rather
than as important corporate assets," says Ken Dulaney, vice president at
Gartner Inc. Consequently, he adds, new security holes are emerging and IT departments
need to fill them immediately or they run the risk of encountering catastrophic
problems.
The rapidly growing processing power and storage capacity of these devices
are making employees significantly more productive when away from their desks,
so they're gaining a high profile in the enterprise. Hewlett-Packard Development
Co.'s iPAQ hx2795 Pocket PC, for example, features 384MB of memory, integrated
Wi-Fi connectivity and a 3.5-inch display.
Some IT organizations first started using these devices for niche applications
in industries like transportation. Data-Tronics Corp., a transportation logistics
supplier and subsidiary of Arkansas Best Corp., provides hardware and software
so companies can find the optimal transportation method to move their products
from location to location. The company outfitted several hundred users at its
pickup and delivery points with Dell Inc. handhelds.
"By
providing users with an easy way to enter packing and shipping information at
our different locations, we gained a clearer and more up-to-date picture of
the status of shipments and availability of transportation resources,"
says Doug Cogswell, director of technical services at Data-Tronics.
E-mail systems are another area where reliance on handheld systems is increasing.
One reason for this is the more advanced functions of the systems. What has
helped in this regard is Microsoft's decision to begin bundling Exchange Server
Service Pack 2 and Messaging and Security Feature Pack (MSFP) software in Windows
Mobile 5.0. This lets users send e-mail messages and contact information to
handheld devices over cellular networks, something Microsoft calls Direct Push.
And it doesn't stop there. Handheld devices are encroaching upon the hallowed
grounds of legacy applications. United Agri Products Inc. (UAP) is a retailer
and service provider to farmers in North Dakota, South Dakota, Minnesota, Montana,
Kansas and Canada. It has about 35 account managers who visit current customers
and potential customers, attempting to convince them to use the firm's containers,
seeds, bulk storage system and produce-handling services.
In 2005, UAP gave its salespeople handheld devices from Dell, HP and Motorola
Inc. so they could access information stored in Microsoft's Dynamics Enterprise
Resource Planning (ERP) package. "Replacing manual entry methods with handhelds
increased the accuracy of the input and reduced salespersons' data entry chores
from hours to minutes," explains Bert Berkholde, UAP's IT director.
Along with enterprises, academic institutions are also realizing some of the
productivity benefits of these devices. About four years ago, the University
of Kentucky supplied mobile employees in select departments like athletics and
facilities management with smartphones. "About a year or two ago, the interest
level in smartphones took off. Just about every one of our employees is interested
in technology that will make them mobile," says Doyle Friskney, chief technology
officer at the university, which has about 500 smartphones on campus.
Take Stock
While they offer potential benefits, handheld devices present significant challenges,
starting with their purchase. Because prices for these devices have dropped
to a few hundred dollars and are often included in carrier service plans, buying
them is a simple process, one that often occurs beyond the purview of the IT
department. "Consumers walk into Best Buy on the weekend, pick up cell
phones, and then connect them to the company network on Monday morning,"
says Richard Stone, vice president of marketing at Addison, Texas-based mobile
security supplier Credant Technologies Inc.
So the first step in securing mobile devices is figuring out who has them.
"There are always a lot more handhelds accessing company networks than
the IT department thinks there are," says Jack Gold & Associates' Gold.
Even though users may not turn to the IT department for help buying these products,
these departments are responsible for them. "Because of recent changes
in federal compliance regulations, the IT department needs to put checks in
place to make sure that data accessed via handhelds is protected," says
Stone. Currently, handhelds represent an area where such checks are likely missing.
Data-Tronics found that its handheld Wi-Fi features were problematic. The devices
come with an inherent feature that sends out a message in search of local wireless
networks. Unfortunately, the function also notifies intruders that a handheld
device is in the area. "We tailored our systems so they don't broadcast
their location to everyone," says Data-Tronics' Cogswell.
Keeping all of the software -- including updates, security patches and new
versions -- running on handhelds up-to-date is a challenge. Data-Tronics had
to develop its own software to update new configuration data on the handhelds.
IT departments also need to make sure the devices are safe. As with any other
device connected to an enterprise network, IT departments must guard against
outsiders hacking into the system and corrupting corporate data. This is not
as much of a possibility for these devices as it is with PCs and laptops --
at least for the moment (see "Handheld Security Is Rudimentary at Best").
Lost and Found
While hackers generate the headlines, IT managers face more mundane security
issues with company handhelds, beginning with lost phones. Because they're small
and users can carry them anywhere, they're often inadvertently left behind.
"Cell phones are the most commonly lost item at airports," says Gold.
Taxi cabs are another place where busy executives often lose their devices.
Once a smartphone disappears, companies then need to figure out what corporate
information may be vulnerable. "Users view their handhelds use as revolving
around 'only e-mail,' but they often include attachments with their messages
and those attachments often contain sensitive corporate data," says Robert
Enger, vice president of product management and global marketing at Check Point
Software Technologies Ltd., located in Redwood, Calif
| Handheld
Security Is Rudimentary At Best |
Security issues
often present IT departments with a risk/reward trade-off.
How much time, money and effort do they need to spend in order
to make sure that corporate information is safe? At the moment,
the level of interest from hackers in smartphones has been
low but the devices have a number of potential security holes,
which means IT departments can hardly ignore the threat.
Cell phones have been designed for consumers as well as business
people, so the security features have been limited. The password
systems used to protect handheld data are weak and fairly
easy to compromise as illustrated by a few high-profile break-ins
over the past few years. A U.S. Secret Service agent's handheld
was hacked, and after Paris Hilton's cell phone was compromised,
her contact list spread across the Internet.
User-Defined Passwords
One reason for the problem is users often have a great deal
of responsibility for securing the password system. Initially,
carriers assign customers default passwords, which they're
supposed to change once they access the network. In many cases,
they fail to take that step and leave themselves open to intruders.
Another problem is users pick easy-to-remember passwords,
such as their first name or simple numeric sequences, like
123456. If a password is simple for the user to remember,
it's also simple for the hacker to crack.
As the various problems become clearer, cell carriers are
trying to harden their password security. Some support digital
signatures, which are a robust way to authenticate users,
while others sell only handsets with protected memory, which
can prevent malicious applications from accessing data or
parts of the phone's operating system.
The malicious applications come from hackers, who have shown
only passing interest in cell phones to date. One reason is
handhelds traditionally possessed little processing power
and therefore did not merit attention as a potential carrier
of malware. As the devices gained the power needed to support
multi-media applications, they also gained the ability to
run all of the malware found on PCs and notebooks.
"Most of the cell-phone malware has been demonstrated
more in theory and test than viruses racing across the Internet,"
says Todd Thiemann, director of device security marketing
at Trend Micro Inc., a supplier of network anti-virus and
Internet-content security software and services.
Little Threat From Viruses
The first wave of viruses, worms and Trojan horses designed
for handheld systems arrived in the summer of 2004 and WinCEDUTs
corrupted data for users working with Microsoft Mobile. Since
then, a few hundred viruses have emerged but none has done
significant damage. "I tell clients that the risk of
mobile viruses is quite low right now," says Ken Dulaney,
vice president at Gartner Inc.
There are a few reasons why that's legitimate advice. Cellular
carriers have a great deal of control over handheld communications
and have put up barriers, such as firewalls and virus-protection
software, which prevent hackers from accessing their networks.
In addition, hackers want the biggest bang for their time
and effort by having their artwork replicated on as many systems
as possible. Windows is usually the object of their desire
because it has such a large installed base. The smartphone
market is small, accounting for about 8 percent of all cell
phones sold in 2006, according to Gartner. Compounding the
issue, the handheld operating system is much more fragmented,
with Microsoft, Symbian and Linux dividing up the booty and
depriving hackers of a big fat target device.
IT departments understand that no security threat should
be ignored. Installing anti-virus and spyware products from
companies such as McAfee Inc., Symantec Corp. and Trend Micro
is a sound choice. Companies do not-at least for the moment-have
to put as much time and effort into guarding smartphones from
malware as they do with their desktop and laptop systems.
-P.K.
|
|
|
In many cases, of course, this data isn't secured. Because they view handhelds
as personal devices, users typically do little to protect the data on them.
Many rely solely on faulty password protection as their only security check.
If the device falls into the wrong hands, though, sensitive information is at
risk.
Consequently, they need to take additional steps to protect sensitive information.
"At a minimum, data on handheld devices should be encrypted," says
Gold.
Microsoft is trying to help companies protect their data. There's a device-wiping
capability in its Windows Mobile software. If a person tries to access the information,
it will wipe out the data. "While the updates with Vista are beneficial,
the reality is most users will be working with earlier versions of Windows [Mobile]
and their information needs to be protected," notes Gartner's Dulaney.
The different security holes illustrate the need for companies to put policies
in place to protect corporate data. "While there's no difference in the
potential damage from what a cell phone can do versus what can happen with a
PC or a laptop, there seems to be a disparity in the recognition of that threat,"
says Gold.
In fact, analysts estimate that as few as 10 percent -- and at most 35 percent
-- of organizations now have policies in place that outline how to secure handheld
devices. Without such policies in place, companies are running a risk.
"It wasn't until last year when the Veterans Administration acknowledged
that a system with more than 20 million veterans' and their spouses' names and
Social Security numbers was missing that many organizations took a closer look
at their laptop security policies," says Stone. "Unfortunately, the
same scenario is playing out with smartphones. As they become more powerful,
there's no doubt that a major security breach will happen. The only questions
are how close are we to it and how much damage will it do."