Security: Risk to data is underestimated

Listen to this article


Smartphones offer the convenience of considerable computing power in a pocket-sized format. But that convenience could be at the cost of putting companies’ data at risk.

As mobile phones and tablets become more powerful, and more popular, they are being used to run a wider range of business applications and potentially carry more business data. But with a few exceptions – such as the BlackBerry range of smartphones – mobile devices and cellphones have not been designed with data security in mind.

The number of data breaches or losses that can be traced back directly to a mobile device remains small. Information security experts warn that it is only a matter of time before this changes. They say too few businesses are taking the threat seriously.

According to the latest annual Global Security Report from Trustwave, a security management company, mobile phone software, or “apps”, often contain security holes. Its tests found flaws in 87.5 per cent of applications tested, and the company’s researchers have seen a massive increase in the number of samples of malware – software that can damage a phone or steal data – it collects.

For the Android mobile operating system alone, Trustwave found 200,000 samples last year, a fourfold increase on 2011.

Sophos, an IT security firm, says it is collecting about 70,000 mobile malware samples a year, far fewer than for PCs yet increasing quickly. “From our research, mobile is still a small, but fast-growing, source of attacks,” says Gerhard Eschelbach, the company’s chief technology officer.

The range of security threats to mobile devices is, if anything, wider than those for desktop PCs.

As well as software designed to steal personal or company data, hackers have created programmes to hack in to mobile banking sites, or to use premium rate text messages to steal funds from unwary phone users.

The threats to mobile devices are becoming more co-ordinated, too. According to Mike Fey, chief technology officer at McAfee, the Intel-owned IT security company, attacks on mobile devices have so far, been “opportunistic”. Attacks on PC networks tend to focus on particular companies and particular types of data.

Attackers targeting mobiles tend to sniff around for interesting data on any devices they can hack. But, he says, as phones start to carry more data, and become more powerful, that is changing. “Downloading 16GB of data from a phone would take all day with 3G, but just over an hour with 4G,” he warns.

Observers liken security on mobile devices to the early days of the laptop PC: a wild west with few security controls, few laws, and certainly no effective policing.

Mobile users are more likely to be in the line of fire as improved security makes attacks on PCs and businesses’ fixed networks harder to carry out. “Malware writers take the path of least resistance, and that is increasingly mobile devices, especially as large botnets [networks of compromised PCs] get taken down,” says Martin Jordan, director of risk and assurance at consultants KPMG.

Businesses face a further risk when it comes to mobile devices: the trend for employees to use their own tablets and smartphones, rather than a company-issued PC. This development, also known as bring-your-own-device (BYOD), makes it harder for security teams to lock down and protect company data. It is a weakness criminals are all too keen to exploit.

“With BYOD you can’t really control the devices,” says Etienne Greef, managing director of SecureData, a consultancy. “But many companies don’t want to enforce [security] policies if that then means they have to manage that device.”

Firms might, for example, want to lock a stolen phone, or wipe all data from a lost tablet. But this is complicated for employee-owned devices that contain personal applications, music collections, or treasured photos. There is also the issue of removing potentially sensitive information from mobiles and tablets, if someone leaves the firm.

Technology, though, only offers partial solutions. Some phonemakers are working on tools that create a “sandbox” for business data, allowing IT departments to wipe just that part of a lost phone, leaving the owner’s personal data intact.

Companies can design their software so that no data are stored on the device at all. Instead, employees view their business applications through a web browser. This has clear security advantages but it needs a relatively powerful device – usually a tablet, not a phone – and a fast mobile data connection to work well.

“It is not the price of the device that is the issue,” says Omar Khawaja, of the security arm of Verizon, the telecoms operator. “It is the data on it, that you need to prevent access to.”

For now, such measures are often as complex and costly as asking employees to carry a properly secured business device. The alternative, says John Skipper, information security expert at PA Consulting Group, is to educate users in how to keep their mobile devices secure, just as companies have done with PCs.

“Security of mobile devices requires the same discipline as any other form of security,” Mr Skipper says. “Ensure that you have a robust understanding of your risk, that you understand the information and data”, and, he adds, “what are the threats to those data”.

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from and redistribute by email or post to the web.