Smartphones could cause security risk in workplace www.privateofficer.com
Washington DC May 31 2011 Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.
Personal mobile devices could prove a security risk in the workplace.
Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.
Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”
Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.
“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”
An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.
What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.
Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.
“As mobile devices become a replacement for the desktop computers, the problem of malware (malicious software) will grow significantly on the mobile platform,” says Gosh. “Unfortunately, the security industry has not developed products suitable for battery-constrained mobile devices, which makes it ripe ground for malware writers.”
Underground and legitimate researchers flushed out 163 fresh security holes in mobile operating systems in 2010, compared with 115 in 2009, says Dean Turner global intelligence director for antivirus giant Symantec.
It won’t be long before cyberthieves steal information off mobile memory cards and run networks of corrupted computers from mobile devices, Turner testified at a congressional hearing on cybersecurity threats recently.
They already are creating tainted apps, several of which have surfaced in the Android Market, Google’s official online store, says Kevin Mahaffey, chief technology officer at Lookout Mobile Security.
One recent attack spread corrupted versions of 50 legitimate game and entertainment apps, which were downloaded at least 250,000 times, Mahaffey says.
Of particular concern is location-tracking technology built into the hottest-selling smartphone and tablet models. Roughly one-third of the Web apps available in Android Market and in Apple’s App Store make use of location data that can pinpoint the whereabouts of the device user, says Mahaffey.
But location-tracking has introduced unprecedented privacy and legal concerns, says Hugh Thompson, chairman of RSA Conference, the nation’s top cybersecurity conference held annually in San Francisco. “Time bomb may not be the right word, but there certainly are some interesting unintended side effects coming to light,” says Thompson.
What if a company gets sued and the court seizes data from an employee-owned smartphone? Thompson posits. “If I get this device, I also get access to all this interesting personal data about the employee, too,” he notes.
McAfee’s Barnett says corporate technology staffers are asked to give corporate access to personal “mobile devices in a much faster, more complex way than ever before.”
“In the past, we asked them to issue company-owned laptops, give a few privileged users locked-down BlackBerrys, and that was it,” says Barnett. “Today, they’re being asked to accomplish a far greater feat.”