Friday, December 09, 2005

Quocirca: The Way to Mobile Security

Clive Longbottom at Quocirca posts at the newly launched IT-Analysis analyst research website. Longbottom looks at the challenges and risks enterprises face managing and enforcing security policies for mobile devices. As he mentions, companies "will need to have solutions ready for when someone comes up and says their handheld device has been 'stolen' (aka 'I left it in Starbucks')."

With mobile devices able to carry around a growing amount of sensitive corporate (and personal) information, Longbottom points out that:

very few people set up any level of security on these devices; most even fail to utilise the four-figure PIN on start up. And encrypting the data is almost unheard of. Antivirus software and firewalls for these devices are in their infancy—luckily, few vulnerabilities have been exploited so far. Yet as we begin to use these devices in more critical ways—to access our email and corporate applications, to store a list of contacts—it's still easy to carelessly leave them in the back of a taxi.
Longbottom claims the weakest link in a company's mobile security strategy is currently the user. He states:
Mobile devices provide means of usage that are just too easy for bypassing basic security needs. You pay your money at the duty free or high street shop, and 10 minutes later you have a fully functional system that may have access back to the office (unless they've locked you out). You set up your email access, use the remote access client that's available on the device and—presto—you're thinking that there's no stopping you.
Of course, once the device is lost or stolen then most likely and one can "press the 'on' button and the device automatically connects to your email inbox. Then the stranger can read, reply to and send emails in your name."

Longbottom exhorts that "companies must have suitable policies and procedures for the security of mobile devices and users, which must reflect the internal security policies and procedures around information and data access. Users must be educated in what these policies and procedures mean to them—down to the level of acceptable devices, and the need to secure the device and encrypt the data on it."