Smartphone exploits aren't generating a lot of buzz, but it will take only one catastrophic security breach and it's front-page news, experts warn.
"There's a general lack of security," said Stan Schatt, vice president and research director at ABI Research in Oyster Bay, N.Y. "It's something that's been below the radar screen of most companies. And the cell phone companies have not really encouraged this discussion. If they're not necessarily selling security services, then it would be negative marketing in effect unless they have a solution for it."
Schatt said at least 30 forms of malware written specifically to exploit smartphone operating systems have been identified during the past two years. He estimated that as many as 90% of smartphones are exposed and unsecured right now.
Despite the rise of smartphone malware, businesses aren't making security a priority.
"Just because they're not concerned doesn't mean it's any less of a threat," said Bill Hughes, principal analyst at In-Stat, a Scottsdale, Ariz.-based research firm. "They could be sitting on a time bomb for all they know."
That time bomb could wreak havoc, since, as Schatt pointed out, most road warriors are executives with access to emails that contain sensitive information about product announcements, litigation or financial results, for example.
"Sometimes people take smartphones back to the office and basically communicate with their PCs to download and upload whatever files they need," Schatt said. "That's a potential target right there."
Chuck Kramer, senior vice president and chief technology officer at Social & Scientific Systems Inc., a Silver Spring, Md.-based technical and research support firm, said the deployment of smartphones at his company is very limited. As a consequence he has seen little need to secure the devices. He said his employees use smartphones mainly for email, which is secured centrally on his Exchange server.
"Very few of them even know how to access the Internet from their phones," Kramer said of his company's road warriors.
On the other hand, Kramer said smartphone security has been something of a hot topic when he gets together with other CIOs.
"There's a guy with one of the local hospitals who is just going nuts," Kramer said. "He's got all these high-level employees and doctors who want to have their own phones."
Hughes said the amount of sensitive data living on smartphones is relatively low for now. But email and media files are vulnerable. Smartphones are already being attacked by spyware, such as keyloggers, he said. But it isn't just malware that poses a risk.
"For data, the biggest risk you've got is people losing their phones," Hughes said. He pointed out that many of the high-profile data breaches reported in recent years have involved lost or stolen laptops. Perhaps stating the obvious, he said a smartphone is much easier to lose than a laptop.
"It might be an interesting test to ask an airport how many lost cell phones they get every day, versus how many laptops," Hughes said.
Sprint Business Solutions, a division of the mobile phone service provider, announced late last year Sprint Mobile Security, a managed security service that protects mobile devices with policy management tools, endpoint security solutions and encryption. Notably, Sprint is offering this end-to-end mobile security service across platforms and across cell phone carriers -- an indication the company has recognized the dearth of security in the mobile market.
Stephanie Burnham, general manager of product marketing for security and services at Sprint Business Solutions, said smartphone security is still in its infancy.
"When we first started this, we were very focused on the firewall, antivirus and VPN," Burnham said. "That has turned out to be -- I don't want to say overblown -- but we haven't had a significant pain point in mobile devices with malware. The most dangerous part of mobile device data is human error."
Burnham said security will become a major issue as smartphones become more powerful. CIOs might be tempted to ban the devices as a reactionary defensive measure, but it won't do any good. Only comprehensive security will protect businesses.
"People are seeing they have the power to do work on [Palm] Treos rather than laptops because they have the OS space and the speed of network to support it," she said. "I think we're going to see viruses and worms and other malware. I think the hype preceded the actual pain. The problem is handheld devices are a much more personal choice than a laptop. IT administrators are faced with a challenge. They can say that nothing's allowed in the company, and savvy users will rig their own devices to get on the network."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer