What looks like a phone and works like a phone but is really a computer? Pretty much any device classified as a “smartphone.” And while the devices do send and receive voice signals, the security necessary to keep them and the networks they connect to safe is more closely related to the personal computer than the telephone.
Tom Cross, a mobile security expert with IBM Internet Security Systems X-Force, is encouraging the users and organizational distributors of smartphones to take steps to secure their information and networks. He offers five recommendations for any company or agency that distributes the devices to its employees to allow them to connect into an enterprise. “Most of the advice that we have really relates to protecting your network from the phones if they are exploited,” Cross says.
The first recommendation is simple and direct: enforce strong passwords on smartphones. Cross explains that security personnel can use the software that comes with the platform or a third-party security measure to enforce password policy. Passwords are critical because they can prevent the disappearance of a $400 phone from becoming an invaluable loss in terms of personal e-mail and other private information. If users have to enter complicated passwords, organizations have a better chance of protecting corporate data.
Cross’ second recommendation is to protect smartphone virtual private network (VPN) access. He explains that organizations should put up firewalls to constrain services to those that are relevant to smartphone users and block access to other services. Companies and agencies can use intrusion prevention to inspect network traffic from smartphones into the network, preventing users with malicious intent from access to all internal resources. In addition to constraining traffic to what is useful to the devices, organizations also could issue different access accounts for smartphone users and laptop users to control who sees what on the network.
The third protection idea is to establish a procedure employees should follow if a smartphone is lost or stolen. Employees should have a telephone number to reach the information technology department of their organization. Information technology personnel usually can disable the phones remotely from the network and wipe all the data from the device. The faster an employee notifies information technology of the missing smartphone, the more quickly professionals can clean the device and replace the unit.
The fourth recommendation Cross has is to consider controlling the third-party applications employees can install on their phones. Those services are part of what makes smartphones so powerful, but, Cross says, “Third-party applications can also be a source of malicious codes.” Some platforms come with application security features, such as allowing only digitally signed third-party applications to be installed. Each platform has a different way to approach this type of security. Organizations also can create their own list of what can be placed on the phone and what is prohibited.
Cross’ final recommendation is for people and organizations using the platforms to evaluate antivirus software. Just as an enterprise would install antivirus technology on laptops, the same may be necessary for smartphones. A number of major antivirus software manufacturers have software that runs on the devices. Malware is more prevalent for programs such as Windows Mobile and less directed toward the iPhone and BlackBerry, but Cross believes it is only a matter of time before threats aim for those platforms. He recommends that organizations monitor the availability of antivirus software and decide when the technology is worth the investment. Cross anticipates the growth of malware and says organizations that make decisions early will be able to better protect their networks.
According to Cross, one of the major security problems inherent in a smartphone is user perception. “People think of it as a phone, and that creates a problem in and of itself,” he explains. While people may be familiar with security on laptops and recognize the sophistication of the software, they often fail to realize that the new smartphones are comparable to those computers and may even run similar network protocols. “You need to think of [smartphones] more like a laptop and less how you’ve traditionally thought about phones in the past,” Cross says. Users also have to be aware that smartphones identify a person’s physical location more directly than any other device.Despite his recommendations, Cross does not believe smartphones are particularly dangerous. “I want people to go out and use these phones,” he says. “I think they’re really exciting. I think they’re really powerful, and I have these phones myself.” He just hopes everyone who does enjoy the benefits of smartphones uses them intelligently. “If they do it in a safe way, they’re going to have a better experience,” Cross says.