Human error is still the No. 1 threat to valuable corporate information stored on mobile devices. And unless someone develops a way to avoid loss and theft altogether that threat likely isn't to go away any time soon.
According to experts, when it comes to security threats against data on mobile devices, malware, viruses and worms still don't hold a candle to loss and theft.
"Everyone who has a mobile device has the same risk of having it stolen or lost," said Peter Larsson, CEO of Pointsec Mobile Technologies, a Stockholm, Sweden-based enterprise device security software provider. "Companies are carrying around corporate data on PDAs and laptops and it's not protected. The bulk of corporations aren't protected. There are still a lot of unprotected users and devices out there."
Antivirus software and firewalls may protect a network, but they don't protect device-stored data, Larsson said. However, there are ways to keep information out of the wrong hands in the event of theft or loss. If used correctly, encryption and authentication work best, Larsson said.
"If I found a laptop, it's pretty easy to find the data stored on it," Larsson said. "You need to protect the device in another way. If you lose a computer with customer data, you have to make sure it is not accessible for anyone else."
To prove that device-based security is lacking, Larsson said he and his colleagues recently bought 100 used hard drives on eBay. Searching through the drives, Larsson said, he found many still contained corporate information that was easy to access. A few, he said, contained "highly sensitive data." Larsson said his experiment was to illustrate how easily a stranger can access unprotected data.
"If I were a hacker today, I would go out and buy used mobile devices and hard drives," he said.
Devices protected by Pointsec, Larsson said, use an initial sign-in screen that users must log into before accessing the network. It can be customized to shut down a device after any number of failed log-in attempts. After a user signs in, they also have to get into the network. All data is encrypted and protected without giving the user a choice.
"If you let the user decide, there will be data that's not protected," he said. "If they lose a computer with customer data or other information, [encryption and authentication] makes sure it's not accessible to anyone else. That way, the only thing you have to worry about is the hardware."
Tim Scannell, president of Quincy, Mass.-based Shoreline Research, agreed. He said many companies have taken the attitude that devices will inevitably go missing and are willing to absorb the cost. However, companies are not as forgiving when those devices contain data that should be protected.
"It's a significant danger," Scannell said. "And it's going to be even more of a danger going forward as mobile devices become more capable."
Scannell said he knows of a security company CEO who left his notebook in a taxi, putting at risk three years of corporate strategy stored in it. Though the notebook was returned unharmed and secure, it was a wakeup call.
"A lot of these devices are being lost," Scannell said. "And there are safeguards like identification, passwords and authentication, but if you're already logged in, there's not a lot you can do."
Some products prompt users to re-authenticate, but that can interrupt work and be a hassle, he said.
Scannell said several companies are now putting restrictions on how much data and what types of data users can store on their devices. In some cases, once that information is used, it is wiped from the device.
"The big danger here is when [someone uses] the device as a key to get back into the server for some reason," he said.
Kathryn Weldon, principal analyst of enterprise mobility with Sterling, Va.-based research firm Current Analysis, however, said the key isn't protecting just the device, but implementing end-to-end solutions that secure the network and devices at three different levels.
First, Weldon said, companies need to secure corporate servers and the perimeter with firewalls, and antispam and antivirus protection. Second, she said, businesses must ensure their carrier or any middleware is secure with end-to-end encryption. Lastly, the device itself should be updated with additional encryption, authentication and some form of network policy management.
That's where several enterprises fall short because they use just one or two of the three options, Weldon said. She said most companies also must set corporate policies to determine who can log onto the network, what information they can access and what security updates are necessary so they don't infect the network.
"To think you're protected at the corporate site with just firewalls and antivirus is naÏve," she said.
But, Weldon said, companies have wised up and are now looking for ways to secure on all three levels.
"The IT department is actually starting to take this stuff seriously," she said. "They're asking whether you protect at the perimeter or protect at the device. You need to do it at both ends."
Weldon said similar to Pointsec, vendors like Credent and Bluefire Security Technologies also offer device-based encryption and authentication tools that work well as an additional layer.
"There are companies out there saying, 'Why don't we just encrypt everything,'" she said.
Another vendor, Milpitas, Calif.-based Phoenix Technologies Ltd., has taken a different approach. The company this month introduced a new product, the TrustConnector 2, an application that prevents attackers from accessing protected systems even if they have valid IDs and passwords. According to Phoenix Technologies, every device that can access a network is given an identity that cannot be altered or stolen, making each identified device trusted.
While the TrustConnector doesn't protect a device from loss or theft, Phoenix Technologies said it supplements other device-based security features.
"The sophistication and number of network attacks are growing as the assets on the network are getting more sensitive and valuable. Now more than ever, organizations must protect these assets, particularly their financial systems, company trade secrets, customer and personnel records, private information and regulated data -- and that protection begins at the device level," Albert E. Sisto, chairman, president and CEO of Phoenix Technologies, said in a statement. "TrustConnector delivers the most effective solution for endpoint security with the least amount of intrusion on existing processes."
One thing hindering solid device and mobile network security, Weldon said, is the fragmentation between carriers, vendors and resellers on which level they protect. Some focus on devices, others focus on the network, while still there are carriers and middleware providers that put their focus somewhere else. Trying to tie all three into one bundle is frustrating, costly and time consuming for IT professionals, she said.
"From an enterprise perspective, why do you have to go to three people or more to protect from end-to-end?" Weldon asked. "There's got to be more integration in this market."
Weldon said some system integrators have taken advantage of the open market and have paired with vendors and carries to offer three levels of protection, but it's still in its infancy.
"They're not going to re-invent the wheel," she said, "but carriers are partnering with third parties to integrate at all the enterprise levels. It's surprising that some of the bigger vendors haven't taken this market over."