Pocket-sized computing devices, like PDAs, smartphones, cellphones and ultra-mobile PCs, introduce some unique security vulnerabilities and exacerbate a lot of existing vulnerabilities. This is according to PricewaterhouseCoopers' security competency leader, Johann van der Merwe, who spoke at ITWeb's MobileBiz conference held at Vodaworld this week. He said handheld devices are rapidly gaining advanced features, which can improve the way businesses operate. He noted these devices are driving business efficiency as well. However, they are putting businesses at risk especially when it comes to information and assets. “Cellphones are becoming mini-computers because they support Internet browsing, video conferencing, word processing, instant messaging, e-mail and much more,” he pointed out.

Van der Merwe suggested that businesses take into account the risks associated with mobile penetration. He said mobile devices are exposing organisations' information and assets to many security risks. “This problem calls for effective risk management and out-of-the-box thinking.”

According to him, handheld devices have vulnerabilities because of their poor physical security. “Because these devices are physically small they are easily lost or stolen.” He said in 2004, Cell C stated that 600 000 cellphones were reported stolen in SA and this number has increased since then. “This is alarming considering many people keep organisational information on these devices.”
Click here

The other threat, he said, is that mobile devices are always on, with multiple wireless interfaces some of which are not secure. “Many applications services are insecurely configured and switched on by default and this exposes the organisation to so many risks as it gives cyber criminals access to organisational data through these mobile devices.”

This has drastically increased attack opportunities because mobile devices can be attacked anywhere from a distance,“ he added.

Van der Merwe advised organisations to take a different approach. “They should acknowledge the business benefits of mobile technologies and the inevitable adoption of mobile devices and leverage the business benefits of a self-organised mobile workforce,” he said.

Organisations should incentivise users to buy a mobile platform that is supported by the organisation, he suggested. “Only allow specific mobile devices to connect to systems with corporate information assets and provide 'free' security software support like device firewall, anti-virus, disc encryption, and remote wipe,” he says. He advised organisations to derive suitable security controls from detailed risk assessments.

Instead of disallowing handheld connections, Van der Merwe suggested that organisations encourage safe and secure connectivity for their employees, because they will connect to the corporate network or use them for business purposes anyway.

He added that organisations should know that security controls are dependent on usage scenarios and context, so their organisational threat modelling should include personal devices used for business purposes like handheld devices. “Risk assessments are fundamental to choosing appropriate security controls,” he pointed out.

Van der Merwe concluded that businesses should support and encourage secure computing and lock out insecure devices.

Related stories: