Smart Phones "Bigger Security Risk" Than Laptops

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

Surbey

password when they used their phone. A VP at the company that performed the surbey said: Surbeys, we should learn how to take them

Not surprising

[grizdog]

Usually there is a tension between security and convenience/ease of use. Convenience is going to be paramount for most users of mobile phones, PDAs, etc. So security will typically take a hit.

Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.

Re:Not surprising

[blincoln]

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's.

The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?

Re:Not surprising

[geekmux]

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones... What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly. Er, contacts, sensitive emails, HR data, IP, financial data, contracts, just what exactly does your average CxO NOT deal in? Give me a break man, I mean hell, would YOU hand over YOUR smart phone to a stranger and not think twice about it? Your opinion on the value of data pretty much says it all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one...

IT departments securing handhelds

[samkass]

The only handhelds allowed to connect to our corporate network are company issued ones, and they come locked down so you have to enter a password after a few minutes of inactivity to do anything except answer the phone. Our laptops come with the whole-disk encryption pre-installed. All external web access goes through the company proxy.

It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

Re:Fortunately, we use blackberries!

[vux984]

Mod parent up. Blackberries ARE better than the other PDA platforms in terms of security, because they do support this level of security 'out of the box'.

Other PDA's don't, and in most cases you can't even add it. With the BB, you can essentially set them up so that all data is end-to-end encrypted to YOUR server, and from their it can go out to retreive web pages, access address books, download documents, run applications, etc, etc. You can apply corporate filters to the web, limit applications, etc, etc all very easily.

All other PDA platforms require you to trust the carrier and the user for a significant chunk of the security. They give you exchange and imap support for example so email can be reasonably secure, but its much harder to lockdown EVERYTHING else... like blocking it so the pad web browser can't reach facebook or myspace or so poker can't be installed... blackberries make it as easy to manage PDA's as it is to manage desktops... which is to say... its a hassle. But on other platforms its not even really doable.

How easy is it to get an iphone to run through a 'VPN' so it can access an intranet site and have no or extremely limited access to the public WWW? This is a pretty common scenario for the PC's staff are provided by enterprises, but smartphones in general do no make this sort of configuration easy; in many cases its simply not possible.

analog hole

[Gothmolly]

I can't carry an iPhone, but I can bring home a file folder full of secrets.
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.

Build a better mousetrap, and some management school out there will produce a stupider monkey.

Re:Passwords?

[robo_mojo]

Yeah, people who make such weak passwords are really dumb.

I've got a really good password for my bank account. It's: L;WMc6HC

Nobody will ever break that!

Re:Fortunately, we use blackberries!

[ohcrapitssteve]

In just a few days, Apple is set to release iPhone Software 2.0 (as well as maybe Hardware 2.0...) but sw 2.0 is slated to have many of the enterprise features listed above. Not to sound like an Apple commercial, but features will include:

-ActiveSync (with SSL..)
-Remote administration with remote wipe of a lost device
-Cisco VPN with RSA SecurID

And as far as the VPN question, it is pretty straight forward, just another pane in the settings menu. PPTP and IPSec.

So iPhone's release featureset wouldn't have satisfied your needs, but tune back in in a few days and see if it floats your boat.

At my company, we had a simple solution to this...

[Ortega-Starfire]

In each computer desktop, laptop, and smartphone, we installed hardware encryption and a C4 charge with remote 2 tier authentication for detonation. The two tier authentication was introduced after an unfortunate mishap involving our CFO getting his arm blown off while out golfing; it turns out the detonation frequency was a maritime frequency as well.

The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.

We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite ceilings designed to completely melt down the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)

Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4.)

Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity