Security Vendors Turn Focus to Smartphones

McAfee's July 29 agreement to acquire TenCube was its second attempt to purchase its way deeper into the mobile security business this year, and one of multiple plays in the space by other vendors.

Vendors are right to be interested. A June survey of enterprises by The 451 Group found two-thirds of the 91 respondents were either "highly concerned" (23 percent) or "moderately concerned" (44 percent) about a mobile security breach. This increased agita about security and management is likely to continue.

"As smartphones and tablets, which are running on smartphone OSes, increasingly take share away from desktop and laptop computers, perpetrators will move to target these users," said The 451 Group analyst Chris Hazelton. "These smart devices will be the primary portal for mobile banking and social networking, so the data stored and traveling across these devices will steadily increase in value."

Click here to read about how smudges on touch screens can endanger security.

According to analyst company Infonetics Research, the mobile security client software market is projected to grow to more than $1.6 billion by 2013. McAfee's decision to buy TenCube was preceded by its purchase of Trust Digital, as well as Juniper Networks' purchase of SMobile Systems and Awareness Technologies' acquisition of LegiTime Technologies. Other companies have made similar moves without acquisition; for example, Symantec released a beta security program for Google Android devices.

Mobile malware has increased steadily since 2003, but has not notably accelerated in 2010, said Jan Volzke, worldwide head of mobile marketing at McAfee.

"What has increased is media attention around privacy concerns [to do with] certain apps … besides app security the discussion should be expanded to cover mobile Internet usage, family safety and—what is probably the most likely mobile security incident users face today—mobile device theft or loss," Volzke said.

For enterprises, the primary challenge posed by smartphones remains the same: remote management and data protection. Most enterprises allow the use of Research In Motion's BlackBerry platform because it has all the security functionality they need, said Gartner analyst John Pescatore.

"The minimum security features we tell enterprises they need are: enforceable mandatory password to unlock, enforceable activity timeout timer and password retry limit, mandatory device content encryption, [and] over-the-air kill [remote wipe] capability," Pescatore said.

"The iPhone has reached the point where it meets that minimum with a few caveats, like lack of FIPS [Federal Information Processing Standard] 140-2 certification for the crypto; Android phones not yet," Pescatore continued. "So, enterprises who are being forced to allow use of iPhone and/or Android phones that want more than the minimum level of security policies need to add third-party mobile device management products, like Sybase, Credant, MobileIron, etc. Or they can take a more limited approach and force the phones to have a VPN client on them and the phones have to VPN to the enterprise and run through the existing security infrastructure."

What enterprises today don't really need is an antivirus client added to smartphones, he said, as it won't be effective or manageable.

Future acquisitions by security vendors should focus on related areas such as device management, Hazelton said.

"There are still some major players out there that need to increase their mobile security and management capabilities," he said. "There are several companies that are good targets. The main threat today is still lost or stolen devices, so security players will need to acquire both mobile security and mobile device management vendors."