Smartphone theft or loss is a big security threat for IT professionals dealing with multiple smartphone platforms, ineffective security policies and the overwhelming desire of end users to connect to the company network with one device.
Policy creation and enforcement are proving problematic.
Four in 10 organizations have had mobile devices lost or stolen, and half of those lost or stolen devices contained business critical data, according to a smartphone security study (PDF), undertaken by researchers at Carnegie Mellon University. The report, commissioned by McAfee Inc., outlined the results of a survey of 1,500 people from 14 countries, administered by research firm Vanson Bourne.
The survey found more than a third of mobile device losses have had a financial impact on organizations. The risk of device loss casts a shadow over the threat of malware targeting mobile platforms. Despite predictions of increasing mobile platform attacks, so far attacks have been minimal. Carnegie Mellon researchers say risky behaviors and weak security postures are common and pose a bigger threat than mobile malware.
End users are using few safeguards to lock down their devices. Fewer than half of device users back up their mobile data more than on a weekly basis, the study found. About half of users keep passwords, PINs or credit card details on their mobile devices, and one in three keep sensitive work-related information on their smartphones.
Smartphone security policy struggles
Organizations have security policies in place that address mobile devices, but the study found less than one in three employees are aware of their company’s smartphone security policy. Most employees are unaware of their device’s access permissions, and those that are aware say their policies are too strict, meaning enterprises are having a difficult time striking the right balance of setting policies without impacting productivity.
“Policy creation and enforcement are proving problematic,” the report found.
The report touts smartphone management software to monitor and enforce policies across different platforms. Geolocation data, remote wipe capabilities and other features found in the software can be used to make employees aware that their devices contain sensitive personal and business data.
“Users need to understand what their company’s policies are and why they’re in place,” the report said. “They must understand they are stewards of their company’s information, and their own livelihood depends on keeping information secure.”
The report recommends businesses address mobile device security by better communicating security policies and educating end users about the threats to data on smartphones. Organizations should apply the same security and management processes to smartphones that they do to laptops and desktops, according to the report. Data needs to be classified and the proper protections applied for access and mobility.
Smartphone file-based encryption works well for removable media, said Chris Burchett, CTO and co-founder of Addison, Texas-based data encryption vendor Credant Technologies. Burchett said mobile devices are tapping into Web-based storage repositories and file systems outside the company walls, creating an even bigger headache for IT security professionals.
“If businesses don’t have to move the data to the device, then maybe that’s a better model,” Burchett said. “It comes down to access control, key management for collaboration and data sharing.”
The report also recommends organizations find a way to strike the right balance when applying policies.
“Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role and the situational context,” according to the report.
In a recent interview with SearchSecurity.com, Winn Schwartau of Atlanta-based smartphone security vendor Mobile Active Defense, said mobile devices are breaking the traditional security models at enterprises. C-level managers are forcing IT to connect the devices to the corporate network and ultimately to support the different device platforms, he said.
“The restrictive capabilities have not been implemented and designed yet at the corporate level to address this,” Schwartau said.