Careless Users Challenge Mobile Security

At a mobile conference, wireless vendors showcase new approaches to wireless and handset security. But one of the biggest threats continues to be careless and forgetful users, analysts warn.

CHICAGO—The primary security threat posed today by the surge in corporate use of mobile devices is not malware, industry pros said here Monday, pointing instead to missing mobile phones and lost PDAs.

The discussion at the Mobile Business Expo sounded notes contrary to the conventional wisdom about security for mobile enterprise networks.

For example, during one six-month period last year, in Chicago alone, business workers lost more than 85,000 mobile devices as they stepped out of cabs.

"Thats a staggering amount of risk for companies," said Vicki Warker, vice president of marketing and products at Sprint Nextel Corp.s Business Solutions group. "Their networks are exposed."

About 85 percent of a companys intellectual property can be discerned through its e-mail, said John Dolan, vice president of product management, wireless division, Oracle Corp. "And people still treat e-mail as a stepchild," he added.

These kinds of facts are changing the way network operators—and software developers—are thinking about mobile networks.

"There is a power, and a danger in mobility," Warker said to Ziff Davis Internet. "You can increase productivity. You can reduce cycle time. But the danger is the increasing complexity for your business. There is also the security risk."

There are some 162 million mobile subscribers in the U.S. today, she said, but only about 40 percent of organizations have a security policy for mobile applications.

"There is a tremendous risk of loss of important data from an array of wireless access points—the office, the home, Wi-Fi," said Warker. "But most of the spending is on anti-virus, and authentication technologies. Thats just not enough."

The reason that this kind of security is a problem is that most wireless networks were conceived as consumer networks, originally, and the business applications were overlaid, she said.

"Verizon, Cingular and T-Mobile were built for the consumer," said Tim Bradley, chief executive officer of Newtown, Pa.-based AirClic USA, a developer of wireless applications for businesses.

Those firms, along with Nextel, control most of the wireless infrastructure in the United States.

/zimages/3/28571.gifClick here to read more about companies efforts to push mobile security.

Now that Sprint has merged with Nextel, the combined company is moving forward with a pilot security project that will enable the carrier to "zap" mobile phones that are lost in the field, and prevent the information on them, including e-mail messages, from being retrieved by competitors on the black market, Warker said.

"Were trailing an enterprise network security product now," she added.

She also said that the network will require that mobile devices go through a three-step process to get on an enterprise network: authentication, interrogation, and then a final access decision.

"Sprint does not just want to treat the enterprise like a big wireless consumer," Warker said. "Endpoint access must be secure before the user is granted network access."

Other vendors at expo here touted different approaches to secure PDAs containing mission-critical information.

Research in Motion Ltd. is working with PGP Corp. to enable users of BlackBerry devices to receive, and send, PGP-secured e-mail.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"We believe the news will be welcomed by many enterprise customers that have chosen and deployed PGP [pretty good privacy] technology," said Mark Guibert, RIM vice president of corporate marketing.

The technology is designed to work with PGPs universal solution and provide e-mail encryption, decryption, digital signature and verification services for messages sent from Blackberry devices.

Users may authenticate themselves with private pass-phrases before decrypting or signing e-mail. In addition, outgoing e-mail messages are automatically encrypted, he said. The technology is expected to be available later this year.

Other analysts here, however, said that the focus for businesses needs to move from communications-centric technologies to "process-centric technologies," said Brian Rosenberg, senior vice president of mobile systems at Ericsson Inc.

"There need to be process-centric applications developed for field force management, dispatching, telemetry and mobile health care."

Most of those vertical enterprise solutions and technologies will emerge from partnerships between the mobile telcos and software developers.

One such project was a collaboration in Europe between Hewlett-Packard Co. and Ericsson, which resulted in 30 percent cost savings for HP, Rosenberg said.

The project gave users the ability to make calls on a mobile network in the United States, from the field, and have it routed through a PBX, domestically, for an in-house network, eliminating the long-distance calling charge.

But a problem with these ad hoc, off-the-shelf technology solutions is that, ultimately, enterprise customers will still have to "cobble their own solution together in the end," said Warker. "Theres just a confusing array of vendors."

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.