The issue of information security becomes more important with each new media report of hacking or stolen personal information. For most people, using mobile devices to send and receive e-mail that may be confidential is not an issue. Hi-Tech Security Solutions spoke to Sinisha Patkovic, director of BlackBerry Security at Research In Motion (RIM) about the realities of mobile security today.
Hi-Tech Security Solutions: There is much talk about the threats to business from mobile devices carrying sensitive information, but the problems we hear about (like Sony) do not seem to include mobiles. How serious is the threat to mobiles?
Sinisha Patkovic: Like any computing device, mobile devices may be prey to malicious programs, or malware. Protecting any computer system from malicious programmes such as viruses, Trojans, worms and spyware can be accomplished through detection and containment.
Detection is the process of determining whether a programme is malicious, something you typically see on any PC. It is not only a reactive way to deal with the problem, but effectively detecting malware on a smartphone is difficult because of constraints such as limited processing power, battery capacity, and storage space to cater for security solutions such as traditional antivirus software with large signature databases. There is also no guarantee that an attacker will not deploy a freshly written piece of malware onto your user’s device, which will be very hard to detect by the current generation of anti-virus scanners. Such malware will go undetected and provide stealthy access to your organisation information for unlimited time.
Containment, on the other hand, is more proactive. Here the system controls access to the information, APIs, and device software and other applications on the device. The malware cannot spread as it cannot gain necessary access to resources. Obviously, containment approach is much more effective as it not only provides protection against any potential threat in the system, but it also does it at a minimal expense; there is no extra software required to be deployed and managed, and there is virtually no impact on the smartphone’s memory, CPU and battery.
While containment is superior to detection in most aspects most manufacturers avoid doing it because it comes as an expense; it must be well designed into all layers of the software, and it must be well implemented.
HSS: Where do the greatest mobile threats come from – malware/stolen devices/hacked devices?
Patkovic: Since smartphones are very personal in nature, they can go everywhere your users go. This means that there is a good chance that some are going to be lost, stolen or left behind. There are a number of considerations for organisations to take when planning how to deal with these types of situations.
The business risks of an unsecured device falling into the wrong hands as a result of theft or loss can be enormous. The consequences may include public embarrassment and bad press; theft of sensitive financial and customer data or intellectual property, legal trouble and strained relationships with customers. Being able to remotely wipe and disable a rogue device is essential. However, it is even more critical to ensure that your mobile platform is not allowing unauthorised software to run on it.
HSS: More companies are allowing employees to use the devices (laptops, tablets and smartphones) they prefer. Would it not be better to limit the devices to those the company is sure it can secure?
Patkovic: The consumerisation of IT is one of the biggest challenges CIOs face today. What is at stake here is the reputation of their brand and their business. Such is the impact of security breaches where sensitive corporate or private customer information is lost, exposed or stolen. Although the impact varies with the type of attack, size and nature of breach and the industry, there is always a financial component and damage of reputation involved. This is why it is very important for organisations to take a good look at the risks associated with the consumerisation trends, and how to deal with them. With the right policies and technologies in place, organisations can feel confident in allowing the use of personal employee smartphones.
Here are the basic areas your policy for employee-owned devices should cover.
* Define which employees can access the corporate network with a personal device.
* Define the applications and services that can be accessed.
* Decide how the costs will be split.
* Decide which platforms and types of devices your organisation will support and what level of support will be provided.
* Consider the security measures and IT policies that will be enforced on employee-owned smartphones.
HSS: How do corporate risk managers need to adapt their security policies to incorporate remote and mobile work?
Patkovic: Making the right security decision for your organisation relies on striking the right balance. There are typically two extremes which manifest if the balance is not found.
* Too much security. Often due to a fear of the unknown and mobility not being completely understood within the organisation, all features and functions get locked down.
* Not enough security. In contrast, too little security stems from IT administrators looking for the path of least resistance, usually as a result of ignoring security questions when they arise.
This returns to the question of balance. Users will often willingly accept strict security measures provided that they are as transparent as possible, do not cripple functionality and enable them to be more productive. If a device is locked down too tightly, users will simply reject it, which then puts pressure on the organisation to introduce devices that cannot be secured or controlled; but if the device is left too open a potential risk is introduced.
HSS: What are the basic security measures/processes mobile workers should adopt?
Patkovic: Mobile workers using a smartphone should follow these easy tips:
* Use a strong password: Setting a reasonably strong password is the single easiest and most effective way to lock down your private data. Without a password, much of your data is accessible to prying eyes. With a password, you are far more secure.
* Set the number of password attempts: If a password is typed incorrectly 10 consecutive times, all of the information on the smartphone is automatically deleted. You can change the number of attempts to 3–10.
* Lock your phone automatically after a certain amount of time: You should set the security timeout feature to automatically lock your smartphone after a set amount of inactivity. For lost or stolen smartphones, this is a critical security block.
* Encrypt the data on your smartphone and media card. Encryption mixes everything up so no-one but you can read anything without the correct password.
HSS: What does BlackBerry offer as standard to its clients that helps secure their data?
* Patkovic: Just by following the checklist above, your personal data will be locked down like a safe. But your BlackBerry smartphone protects your data in other ways too. Here are some examples:
BlackBerry smartphone authenticates the BlackBerry Operating System every time you start a device. This prevents an attacker from tampering with the operating system, by planting a back door for example. This provides for a secure and trusted environment for other applications you may allow on the devices.
Secure browsing to shopping and banking sites using SSL encryption.
Attachments are rendered into safe formats to help protect you from malicious code.
Applications received in e-mail cannot run on your BlackBerry smartphone.
By default your BlackBerry smartphone continually removes sensitive data from temporary memory.
Our BlackBerry Enterprise Server offers over 500 IT policies, catering to the security needs in businesses where data privacy and protection are business critical, but equally to those organisations where security is a nice-to-have rather than a requirement.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version