Company executives claim they spend considerable time worrying about the security of smartphones and other wireless
devices proliferating across their enterprises. But the steps they're taking to keep the bad guys at bay often fall short of what's needed.
Cupertino, Calif.-based AV firm Symantec Corp. reached that conclusion after mulling over the results of a survey (.pdf) The Economist conducted on its behalf.
Paul Miller, Symantec's director of mobile and wireless, said he was taken aback by the contradictive results. On one hand, 82% of the nearly 250 company executives surveyed by London's The Economist Intelligence Unit Ltd. research firm said they see the damage from virus attacks as the same or greater on a mobile network than on a fixed network. Yet only 26% have actually assessed the security risks of smartphones, compared with 81% of enterprises that have assessed their laptop security.
Despite the proliferation of mobile device use in the enterprise, only 9% of respondents said they've deployed a comprehensive security architecture designed to include mobile device access. Meanwhile, 39% said they have granted mobile devices access to the corporate network on an ad hoc basis, and 39% have also integrated mobile devices into the security architecture of their existing fixed networks. Meanwhile, almost 20% of businesses have suffered financial loss due to attacks targeting mobile data platforms.
Miller said too many enterprises use outdated security paradigms. "In today's enterprise, there are multiple endpoints to account for and proper protection cannot be tackled as one-size-fits-all," he said. "Three out of four companies do not specifically address smartphones in their security plan, even though they recognize the threat to mobile devices is as great as the threat to wired devices."
The results also indicate Western Europe is best prepared for wireless device threats, while the U.S. is least prepared. Fifty-five percent of respondents from Western European businesses said they've deployed security software to protect mobile data, compared to 44% in Asia-Pacific and just 36% in North America.
And while 39% of enterprises are increasing the use of mobile technology without taking the proper security precautions, about 60% of them are letting security concerns hold back handheld device deployments.
"Security is the one particular issue that continues to impede the widespread adoption of mobile computing in the workplace and if it continues to be overlooked, there is a danger that some businesses will miss the advantages mobility can bring to their workforces," Gareth Lofthouse, director of custom research for The Economist Intelligence Unit, said in a statement.
Miller said Symantec's most recent threat report illustrates why enterprises must solve their wireless device security problems. It showed that malware targeting mobile devices -- particularly smartphones -- continued to grow through the second half of 2005.
The report also highlighted several new examples of malware for smartphones including Cardtrp, the first cross-platform threat with the ability to affect both Symbian and Windows operating systems. The end of 2005 also saw the emergence of Pbstealer, distributed as a file that represents itself as a phone book utility for smartphones in order to entice a user to download and execute it. Once a device has been compromised by one of these Trojan horses, Miller noted, information such as the user's phonebook, notepad, calendar, and to-do list will be transmitted to Bluetooth-enabled devices that are within range.
Asked what enterprises should do to bolster wireless device security, Miller said, "Our recommendation is always defense in depth. Our view is that smartphones are part of the endpoint and enterprises need to adjust their overall endpoint security to account for this." Endpoint security is a strategy in which security software is distributed to end-user devices but centrally managed.
"Employees must be trained to think of smartphones the same way they think of laptops -- they contain the same data and need to be cared for the same way," he said.
Companies can begin leveraging mobile technology as a competitive advantage by adding mobile protection to 5 or 10% of their mobile workforce and heeding to best practices, Miller said, adding, "This measured approach will help tremendously in preparing for major deployment."