Increasing popularity and deployment of mobile devices, especially smartphones and tablet PCs, can present a significant amount of risk to the overall enterprise security posture, states a white paper released by ISACA, a global association for enterprise governance of information technology. Mobile devices have numerous vulnerabilities that are susceptible to malicious attacks as well as nonmalicious internal threats. From the types of networks the mobile devices use to the threat of data loss, mobile devices have no shortage of inherent risk.
In its 'Securing Mobile Devices' paper, ISACA says, "Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability. Mobile devices transport data via wireless networks, which are typically less secure than wired networks. These wireless networks can leave information at risk of interception. Additionally, many of these devices have storage capability and unencrypted data at rest, thus the information gathered from either the interception of data in transit or theft or loss of a device can result in the compromise of sensitive and proprietary information."
In addition to data loss, mobile devices carry the risk of introducing malware, reveals the paper. The devices themselves can be used as a platform for additional malicious activity. Devices and laptops with onboard microphones and cameras are particularly vulnerable because they can be activated easily using publicly available tools, possibly resulting in malware propagation, data loss and eavesdropping. Likewise, cellular and Voice-over IP (VoIP) technologies also have vulnerabilities that can be easily exploited, resulting in intercepted calls.
"Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises. Creating a transparent, understandable, flexible and executable policy to protect against risks related to the use of mobile devices will support management in its effort to protect intellectual property and sustain competitive advantage," the paper states.
Governance frameworks such as COBIT or Risk IT will help businesses ensure that process and policy changes are implemented and appropriate levels of security are applied. ISACA recommends some issues to enterprises that need to be considered when creating a mobile device strategy:
* Define allowable device types (enterprise-issued vs. personal).
* Define the nature of services accessible through the devices.
* Identify the way employees use the devices; address corporate culture as well as human factors.
* Integrate all enterprise-issued devices into an asset management program.
* Describe the type of authentication and encryption that must be present on devices.
* Clarify how data should be securely stored and transmitted.