If you’re like many others, you’ve come to the conclusion that smartphone security risks have become an enterprise's greatest challenge to security and compliance. But why
It’s simple. First off, many -- perhaps most -- users in any given business have a phone for sending and receiving emails, browsing the Web and storing files. Phones are becoming the new desktop. Secondly, people aren’t taking smartphone security risks seriously. A recent study of smartphone users by AVG Technologies and Ponemon Institute LLC confirms that people haphazardly store sensitive information and don’t protect their phones the way they should. In fact, the study of 734 adult U.S. consumers found that people were more concerned with receiving spam than they were about mobile malware infecting their systems.
Finally, smartphone hacking is simple. In fact, doing so is often a matter of someone with ill intent stumbling across a device. No password, a weak password or the lack of encryption of those neat little micro SD cards is typically all it takes to expose any and all information stored on the device. In addition, virtual private networks and remote desktop connections providing access into enterprise networks are vulnerable. The AVG/Ponemon study found that 66% of respondents store personal and personally identifiable information on their phones. Based on what I see in my work, I’d venture to guess the other 34% of users are in denial about smartphone hacking.
When it comes to smartphone hacking and overall mobile device security and compliance, most people don’t have a say in how their information is protected. For instance, I recently emailed some health-related test results to a physician friend, knowing all along that she was going to read them from her undersecured phone. That was my decision, but the reality is that most people don’t have this choice. Their sensitive information is being mishandled, and there’s absolutely nothing they can do about it -- except for suing the business after the fact.
So here is the big question: Are you going to tolerate your users calling the shots when it comes to locking down the phones used across your enterprise? This is especially critical when it comes to executives, doctors and others who believe they know best and don’t want to be told what to do. Ignoring this problem and writing it off as an impossible political hurdle is a dangerous path to go down. However, many businesses are already well on this journey.
Your business would be well-served if you came up with some security standards, policies and controls (i.e., a mobile device management system) to get this mess under control. But although better than nothing, security standards are not foolproof. Even with seemingly secure phone configurations, there are tools such as Elcomsoft iOS Forensic Toolkit and Elcomsoft Phone Password Breaker that can negate many of your controls. If that ends up happening, at least you’ll have the argument that you took reasonable steps to alleviate smartphone security risks to prevent your phones from being hacked.
Odds are, at this very moment your compliance efforts are being completely negated by unsecure and mismanaged phones. Now is as good a time as any to do something about these innumerable smartphone security risks.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.
This was first published in August 2011