Mobile Security Needs Major Upgrade

Securing phones and PDAs is crucial, but it's still difficult to do.

The proliferation—nay, ubiquity—of mobile devices in the enterprise makes it imperative for IT managers to take an unmoving stance on the security of these devices. Whether sanctioned by IT or not, the diverse devices used by todays mobile work force must be made to withstand withering security requirements to protect the integrity of corporate data.

And the devices that IT managers think are the most vulnerable—or the most worthy of protecting—may not be the ones most at risk.

According to a poll conducted Dec. 1 during Ziff Davis Medias Security Virtual Tradeshow Web seminar, 87 percent of attendees were concerned primarily with protecting laptops from malicious code. Protecting mobile phones, PDAs and other devices barely registered on the poll. (The archived Web seminar can be found at

Given the millions of laptops in use and connected to the Internet, it makes sense that IT managers are most concerned about them. However, there are more mobile phones in use than computers.

And while the limited computing power and the closed design of cell phone handsets have so far made them undesirable targets of virus writers, this likely wont remain so for much longer.

Case in point: According to the analysis company Ovum, there are now 10 million phones running Symbians Symbian OS. A Symbian-based proof-of-concept virus that spreads via a Bluetooth connection was reported last June and has now appeared in the wild in Europe as the Skulls virus.

Even if viruses and worms werent an issue, mobile devices should be a significant concern for organizations that are subject to regulatory requirements, including those in the Health Insurance Portability and Accountability Act.

For one thing, mobile devices are often lost or stolen, potentially leaving corporate data vulnerable to unauthorized access.

In addition, mobile devices almost always communicate via a wireless connection, a medium that is still notoriously insecure.

And data security, including encryption/decryption, has not been widely implemented on most mobile devices because these applications tend to tax battery life, memory and processing power.

In short, mobile device makers have focused on utility, not security, leaving the devices vulnerable.

Several companies are just now beginning to provide protection for mobile devices, and IT administrators should immediately start evaluating these tools.

For example, F-Secures Mobile Anti-Virus for Series 60 protects a variety of Nokia and Siemens handsets that run the Symbian operating system.

The F-Secure application requires 850KB of free memory and takes up 520KB of space on the phones, but of greater concern is the processing and concomitant power drain of processing messages and attachments.

IT administrators should keep in mind that given the changeable nature of mobile devices, managing the licenses for security products will likely be more of a problem than managing the software itself. IT administrators will need to make sure that license management is at the top of the checklist for any security software for mobile devices.

Indeed, IT managers should learn a lesson from the sorry state of desktop management. For the most part, patch management, software distribution and configuration management tools have been added on and unintegrated, and this has proved to be a resource-intensive way to maintain PCs and network infrastructure devices such as routers. If the same thing happens with mobile devices, were in big trouble.

Labs Technical Director Cameron Sturdevant can be reached at


Check out eWEEK.coms for the latest news, reviews and analysis on mobile and wireless computing.