Nowadays even the most naïve PC user will know the importance of anti-virus software on their PC, the threat of ‘phishing’ attacks, and why you should never give out your credit card details to unauthorised sources, writes Symantec's Candid Wueest. You wouldn’t let a random person off the street take a peek at your business-sensitive data. Nor would you print off your confidential emails and give them to a stranger to read. But many businesses are effectively doing this by not paying enough attention to smartphone usage within their organisation.
Mobile working for most people started with the BlackBerry, which enabled access to corporate email on the move. With increased innovation in the mobile phone market, high-performing technology and faster access to data using 3G mobile networks, it’s now possible to access even more critical business systems when out of the office. Gartner reckons access to the web from mobiles will overtake desktop and PC usage within the next three years.
However, while the majority of PC and laptop users understand the threat of viruses (there are over four million affecting Windows alone) fewer realise that there are currently 400 different viruses associated with smartphones. A recent (albeit harmless) example was the ‘rick-rolling’ worm that hit the iPhone in 2009. This particular worm merely changed the iPhone’s wallpaper to a picture of 80’s pop star Rick Astley – but the next generation of smartphone viruses could do far much more harm, and even infect the corporate network.
Unlike the desktop market, where Windows is more or less ubiquitous, there is no single common mobile platform – which can be a hindrance both to those who write viruses and to those charged with protecting the phones. However, this doesn’t mean that the threat isn’t here, now, and very real.
It’s not just mobile viruses that threaten the security of your corporate network. Loss or theft of a smartphone is no longer just about the inconvenience to the user and the cost of a replacement unit. With the increasing volume of ‘stealable’ business data held on handsets – combined with poor encryption and lax password protection – the cost of a ‘minor’ inconvenience could run into the millions.
The onus is not just on the IT department to install security software on corporate handsets. As with desktop PCs and laptops, a security policy is only as good as the strength of the user’s password. In the case of smartphones, most users don’t bother changing their default PIN number (quite often 0000 or 12345) to something harder to guess. While it’s not always possible to enforce regular PIN changes, users should be made aware of this via company security guidelines.
In the event of the loss or theft of a device, disabling access to remote systems and reporting it stolen to prevent unauthorised usage is not the end of the story. Business-critical information may be stored or cached in an unencrypted form on the device. Many smartphones offer a ‘remote self destruct’ feature – allowing all data to be wiped without physical possession of the device.
Aside from potential data security breaches, there is another scam as old as telecommunications itself, which those managing corporate smartphones should be aware of. Devices that are stolen are often used to make unauthorised calls to international and premium numbers, or send texts to shortcodes costing up to £5 per message. Virus writers may exploit this in future to ‘scam’ money from companies via their phone bill, meaning a smartphone user won’t be aware of someone running up charges until the bill arrives.
A simple way to prevent this is to block access to premium – and if the user doesn’t need to call abroad – international numbers from the device. This can be arranged with your mobile network operator (some networks block access to these numbers by default). Similarly, if the user doesn’t need to take their smartphone abroad, you should ask your mobile operator to bar international roaming.
As we look to the future, our smartphones are getting smarter – but so are the criminals wishing to cause our companies harm to benefit themselves. However, every business stands a much better chance of protecting themselves with a few simple checks and a smarter user.
Candid Wueest is Senior Threat Researcher at Symantec.