Establishing Digital Trust: Don't Sacrifice Security for Convenience
Smartphone adoption skyrocketed in 2010. According to Visiongain, Android sales leapt 886 percent this year, fast over-taking the popular game-changing iPhone. When workers head home for the holidays, they'll be taking these new smartphones with them. According to a survey on holiday habits conducted by Symantec, a whopping 90 percent expect to use smartphones to engage in at least some business activity. Let's look their anticipated holiday uses, associated risks, and what can be done to neutralize them.
Mixing business with pleasureWhen Symantec decided to survey users about holiday plans, they expected to find activities like online shopping. "Results were mostly consistent with our expectations," said Khoi Nguyen, director of product management for Symantec's Mobile Security Group. "But we were surprised by the amount of work use during the holidays."
Eighty-three percent of respondents planned to use smartphones for a mix of business and personal activities. But, although 63 percent were aware of smartphone security solutions, just 23 percent reported using them. Sadly, half agreed with the statement: "Smartphone security software is beneficial, but not essential." This shows a gap between risk awareness and mitigation. "People haven't yet been directly impacted [by mobile threats] and think they aren't exposed," said Nguyen. "They don't fully understand that smartphones are endpoints that must be protected, like PCs."
Businesses should take note of this attitude and not just during the holidays. Given consumerization of IT, employee-owned smartphones are undeniably now used for business. But employers cannot rely upon users to secure their own devices. At minimum, companies must establish policies regarding authorized smartphone use and mandatory security measures.
Missing smartphoneshttps://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iA solid 68 percent of those surveyed cited loss or theft as their top smartphone concern. This finding parallels what many employers already know: Phones are far more likely than laptops to be left in cabs, on bar stools, or mysteriously disappear from pockets. However, just 56 percent of users said the data stored on their phone was more valuable than the device itself. Employers should find this alarming, given the high cost (direct and indirect) associated with data breaches. Companies must inventory smartphones used for business and establish mechanisms for remotely wiping data stored on lost or stolen devices. If nothing else, start with voluntary employee registration supported by consumer find/wipe services like MobileMe.
Email from unknown senders
Among users surveyed, work-related email tied with personal phone calls for most frequent smartphone use over the holiday. Alas, 64 percent said they were at least somewhat likely to open email messages from unknown senders 14 percent very likely. These numbers combine to produce a high risk of being compromised by targeted phishing email on smartphones. Specifically, workers who check corporate email on a laptop or desktop are more likely to use an IT-configured email client like Outlook, or at least Outlook Web Access, reaching a mailbox already filtered for spam and phishing messages. While many smartphones support Exchange Active Sync, employers can be reluctant to grant corporate mailbox access to employee-purchased consumer-grade phones. This can result in users forwarding work email to personal accounts, delivered directly to phones, without being scrubbed for spam and phishing. Companies should give serious consideration to this back door and take steps to provide safe mobile email access from employee-liable smartphones such as mail clients that interface with corporate email using "secure sandboxes."
Careless web surfing
Another popular smartphone activity will be surfing the web (68 percent). But surprisingly, just 20 percent of those surveyed planned to use their phones directly for online purchases. Nonetheless, many will probably still use smartphones to support their holiday shopping activities. "Online shopping was lower than we expected," said Nguyen. "This shows slow adoption of financial transactions on mobile devices, which is partly due to security concerns. But smartphones are providing a richer browsing experience which enables real-time [point of sale] access to product specs, price comparisons, and reviews, empowering consumers to have a more effective purchasing experience." For users that do conduct sensitive web transactions including logging into e-tailer or payment accounts from smartphone apps secure communications are a must. Employers may want to educate workers about identity theft techniques like Side Jacking (e.g., Firesheep) and enable secure communication for both personal and business traffic such as non-split VPN tunneling from smartphones.
Mobile file/app access
Among less popular smartphone activities this holiday season, 17 percent of users said they would view or modify work-related documents and 13 percent expected to use work-related apps. Activities like these demonstrate how powerful smartphones have become which further underscores the importance of preventing unauthorized smartphone use. Fortunately, users have started to heed this message. Among those surveyed by Symantec, 81 percent were not only aware of smartphone lock features, but had actually configured a password to lock their own phone. This is definitely a step in the right direction. But employers may want to go further by enforcing passcode policies on smartphones. This can be done on all new smartphones by using Exchange Active Sync, native Mobile Device Management commands, or a third-party security solution like Symantec's.
Carrying confidential data
In fact, a whopping 62 percent of users expected holiday season smartphone activities to involve sensitive or confidential work information. As previously noted, only about 1 in 4 users said they had installed security software on their smartphone or believed that software to be essential. Hopefully, some are still protecting confidential data using native device encryption on newer iPhones and iPads. But given the rise of Android and lack of device-level encryption there, it stands to reason that many smartphones are now carrying around unencrypted confidential data. This trend should concern employers and prompt near-term action to control the flow of confidential data to/from smartphones and enforce safe storage at minimum, by denying access to phones that lack encryption.
Although not addressed by Symantec's holiday survey, many smartphones will no doubt be accessing email, websites, calendars, etc, using a multitude of wireless networks, from mobile broadband to public hotspot to family-owned Wi-Fi. Holiday usage tends to throw a kink into established best practices, as users struggle to get on-line wherever they might be, using the most convenient (and often unknown) form of Internet access. Here, the best defense is a good offense such as using a VPN to protect all wireless activity. However, users still need to exercise common sense and a modicum of caution to avoid Evil Twin APs that can prey upon careless wireless devices. For more advice on avoiding Evil Twins, see our October top ten column.
SMS has grown increasingly popular on phones of all kinds, including smartphones with easier-to-use virtual keyboards. In Symantec's survey, 48 and 74 percent of users expected to text for work and play over the holidays. The bad news? 68 percent said they were at least somewhat likely to open a text message sent by a stranger. 29 percent even said very likely double the number very likely to open email from strangers. Ironically, 41 percent also identified SMS text phishing ("SMSshing") as a top two most worrisome smartphone attack. According to Nguyen, "People are relatively new to smartphone threats until recently, most only used them for email and calendaring. They aren't yet educated about the risks related to SMS and phishing URLs that might be presented to them, both in texts and when browsing." In addition to user education, SMS spam and sender filtering can help. These measures can be device-resident or cloud-based and prevent relay or display of SMS messages from unknown (or known-offensive) senders.
Forty-four percent of respondents said they were likely to download mobile apps while taking time off over the holiday. Unfortunately, just 18 percent said they paid close attention to license agreements to understand what data and services those apps would be permitted to access on their smartphone. Another 35 percent admitted they did not read license agreements at all. This trend should raise loud alarm bells for employers particularly for mixed use phones running apps downloaded from the free-wheeling Android Market. According to the App Genome Project, 29-33 percent of iPhone and Android apps can access a user's location; 8-14 percent can access contacts. But why do so few users care? "Based on their experience with PC downloads, many people have learned to tune out license legal-eeze," said Nguyen. "But with smartphones, licenses are different apps must publish the capabilities and privileges to inform user before installation. We're seeing a high percentage of apps that require access to information they don't really need." Reviewing and understanding licenses during app download should become a smartphone best practice. Companies that deploy security software can also use whitelists to control app installation. Someday soon, smartphones may be virtualized to better segregate personal and business apps and their environments.
Finally, 68 percent of respondents expected to use social networks (e.g., Twitter, Facebook, LinkedIn) during the holiday. This comes as no surprise, since social network usage is rising fast and all smartphones now run a plethora of apps designed to make these sites more usable on small screens.
According to Nguyen, social networking threats on smartphones are expected to parallel those now being experienced on PCs. "Threats are moving from the OS level to the application level, with social engineering attacks being used to trick users into clicking on links that cause malicious behavior," he said. "Social networking apps on smartphones will encourage hackers to customize attacks for mobile devices."
Mobile malware has ramped up rather slowly on smartphones. But in Symantec's survey, a surprisingly high percentage of users cited malware as a top three concern. Enterprises may not be nearly as concerned yet. But when mobile malware emerges in full-force, it's likely to penetrate the enterprise through an unprotected back-door like social networking. Here, forewarned is forearmed.
Symantec's survey focused on holiday season smartphone use, but it provides useful insight into habits, end user attitudes, and emerging trends that could apply all year long. Clearly, employers need to start taking smartphone security threats seriously and that includes employee-liable consumer smartphones. So don't let the Grinch steal Christmas (or Hanukah or Kwanza or your own December holiday). Safeguard those iPhones and Androids and tablets to mitigate these mobile risks.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
Follow eSecurityPlanet on Twitter.