New research indicates that many companies are putting a hold on the introduction of new wireless technologies based on concerns over IT security.
Published by security applications maker Symantec and the research arm of UK-based newsmaker The Economist, the survey contends that the threat of virus attacks, potential flaws in smart phone software and a lack of wireless network access controls have forced many enterprise firms to slow down their adoption of additional mobile applications and devices.
Based on interviews with some 240 companies with international operations, the study found that over 60 percent of the enterprises involved in the survey were currently postponing the introduction of new wireless tools based on such security fears.
Some 47 percent of survey respondents said that the cost and complexity of wireless technologies remains a major obstacle to adoption.
While some security experts have accused IT vendors such as Symantec of hyping up the threat of mobile attacks—with only a few minor viruses having affected popular handhelds compared to the avalanche of PC-oriented malware programs—the survey found that just under 20 percent of those interviewed had already experienced financial loss due to attacks on mobile data platforms.
Ziff Davis Media eSeminars invite: Join us April 13 at 12 p.m. ET to learn how to centralize remote office data in the data center, gain control over the integrity and security of data, and enforce corporate backup policies and ensure data recovery.
The growing problem of insufficient wireless security is only just beginning to gain momentum, but the potential for serious problems down the road is already taking shape, said Paul Miller, director of mobile and wireless solutions at Symantec.
While no “cataclysmic” mobile viruses have emerged yet, he said, waiting for threats to become more sophisticated and damaging is not the smartest way to approach wireless security.
“Were not here to beat the hype drum, but companies need to begin thinking about this and rolling out appropriate policies and technology before we do see a serious problem,” said Miller.
“We need for people to learn from the lessons we were exposed to on the desktop instead of repeating mistakes with mobile devices; adoption and security threats tend to grow hand-in-hand, so unless enterprises prepare, we will see a major breakdown when that first big attack arrives.”
Since popular mobile phones run on so many different operating systems—unlike the vast majority of PCs, which run on Microsofts Windows OS—it may be another year or even two until such an event occurs, Miller said.
However, hes willing to bet that the fallout from such an attack will be dramatic, as so many companies have not yet addressed wireless security from the top down.
The research also contends that todays wireless attacks are already becoming more sophisticated and damaging than many of yesterdays PC-borne viruses.
Some 82 percent of those companies responding to the survey said that they would rate the impact of mobile viruses as roughly the same, or even worse, than the fallout caused by more traditional IT threats.
A major part of the problem around wireless security remains that many companies have yet to enlist sufficient policies to cover the use and protection of mobile devices, said Miller.
Only 9 percent of respondents to the report said that they have incorporated a security architecture designed to include mobile device access, while 81 percent already have policies in place for the use of laptops and other computers.
Smart Phones Remain Vulnerable
The research also pointed to some regional disparity in terms of companies existing efforts around increasing security for wireless devices.
While 55 percent of Western European businesses said they have adopted security applications to protect mobile data, only 44 percent of respondents in Asia-Pacific, and just 36 percent in North America, said they have done similar work.
The threat of adopting new, more powerful handhelds with PC-like capabilities, known as smart phones, is also troubling customers, said Symantec.
Only 26 percent of the firms involved in the survey said they have already begun assessing security risks related to such devices.
According to Symantecs latest Internet Security Threat Report, published in March, there has been a significant increase in the number of malicious programs written to target mobile devices, particularly smart phones, over the last year.
Smart phones in particular are becoming an attractive objective for malware writers as the devices tend to hold corporate data.
These include Cardtrp, which the company identifies as the first cross-platform threat aimed at both the Symbian and Windows mobile device operating systems, and Pbstealer, a file that cloaks itself as a phone book utility for smart phones to lure users to download and execute it.
These viruses typically infiltrate a devices phone book and calendar settings and cause phones with Bluetooth connectivity to broadcast the data publicly, Symantec reported.
“Smart phones, if left unsecured, will emerge as the weakest link in enterprise security strategy,” said Miller. “People are familiar with the threats against business PCs and laptops, but they admit theyre not even thinking about smart phones. Based on the type of data these devices hold, that neglect is a trapdoor to the underbelly of an enterprise.”
Some security industry watchers remain unconvinced that enterprises need to shift as much attention to wireless security in the near term.
Graham Cluley, senior technology consultant with anti-virus specialists Sophos, said that while companies should consider the future implications of mobile threats, there is not enough evidence of activity in the space to cause serious concern today.
Companies are still struggling to fight PC-borne viruses, with which they are bombarded on daily basis, he said.
“At the moment there are only a handful of mobile phone viruses; theyre not spreading in high numbers and they are very rarely encountered, whereas every day there are scores of Windows attacks, roughly two thousand of them in 2005 alone,” said Cluley.
“If you want to focus on where the real battle is happening today, its on the desktop; thats not to say that in the future there wont be more mobile threats, but we feel that companies should have more focus on current issues.”