News Stay informed about the latest enterprise technology news and product updates.

Smartphones easy target for hackers, experts warn

No one's paying attention to the security risks inherent in today's smartphones, but experts say a major breach will happen sooner than later, and most businesses won't be ready.

It's time to secure your smartphones.

Smartphone exploits aren't generating a lot of buzz, but it will take only one catastrophic security breach and it's front-page news, experts warn.

"There's a general lack of security," said Stan Schatt, vice president and research director at ABI Research in Oyster Bay, N.Y. "It's something that's been below the radar screen of most companies. And the cell phone companies have not really encouraged this discussion. If they're not necessarily selling security services, then it would be negative marketing in effect unless they have a solution for it."

It might be an interesting test to ask an airport how many lost cell phones they get everyday versus how many laptops.
Bill Hughes
Last week, Trend Micro Inc. announced it had found a pair of security flaws on Microsoft's Windows Mobile, a popular operating system used in smartphones -- wireless phones with special computer-enabled features such as email and Internet access.

Schatt said at least 30 forms of malware written specifically to exploit smartphone operating systems have been identified during the past two years. He estimated that as many as 90% of smartphones are exposed and unsecured right now.

Despite the rise of smartphone malware, businesses aren't making security a priority.

"Just because they're not concerned doesn't mean it's any less of a threat," said Bill Hughes, principal analyst at In-Stat, a Scottsdale, Ariz.-based research firm. "They could be sitting on a time bomb for all they know."

That time bomb could wreak havoc, since, as Schatt pointed out, most road warriors are executives with access to emails that contain sensitive information about product announcements, litigation or financial results, for example.

"Sometimes people take smartphones back to the office and basically communicate with their PCs to download and upload whatever files they need," Schatt said. "That's a potential target right there."

Chuck Kramer, senior vice president and chief technology officer at Social & Scientific Systems Inc., a Silver Spring, Md.-based technical and research support firm, said the deployment of smartphones at his company is very limited. As a consequence he has seen little need to secure the devices. He said his employees use smartphones mainly for email, which is secured centrally on his Exchange server.

"Very few of them even know how to access the Internet from their phones," Kramer said of his company's road warriors.

On the other hand, Kramer said smartphone security has been something of a hot topic when he gets together with other CIOs.

"There's a guy with one of the local hospitals who is just going nuts," Kramer said. "He's got all these high-level employees and doctors who want to have their own phones."

Hughes said the amount of sensitive data living on smartphones is relatively low for now. But email and media files are vulnerable. Smartphones are already being attacked by spyware, such as keyloggers, he said. But it isn't just malware that poses a risk.

"For data, the biggest risk you've got is people losing their phones," Hughes said. He pointed out that many of the high-profile data breaches reported in recent years have involved lost or stolen laptops. Perhaps stating the obvious, he said a smartphone is much easier to lose than a laptop.

"It might be an interesting test to ask an airport how many lost cell phones they get every day, versus how many laptops," Hughes said.

More on mobile computing
Executive Guide: Mobile Computing

Mobile workers push for smartphones

Mobile device encryption -- a practice not often applied
Schatt said security will rise as a priority as smartphones proliferate in the market and gain more computing power and memory. Eventually vendors will see there is money to be made in managed security services.

Sprint Business Solutions, a division of the mobile phone service provider, announced late last year Sprint Mobile Security, a managed security service that protects mobile devices with policy management tools, endpoint security solutions and encryption. Notably, Sprint is offering this end-to-end mobile security service across platforms and across cell phone carriers -- an indication the company has recognized the dearth of security in the mobile market.

Stephanie Burnham, general manager of product marketing for security and services at Sprint Business Solutions, said smartphone security is still in its infancy.

"When we first started this, we were very focused on the firewall, antivirus and VPN," Burnham said. "That has turned out to be -- I don't want to say overblown -- but we haven't had a significant pain point in mobile devices with malware. The most dangerous part of mobile device data is human error."

Burnham said security will become a major issue as smartphones become more powerful. CIOs might be tempted to ban the devices as a reactionary defensive measure, but it won't do any good. Only comprehensive security will protect businesses.

"People are seeing they have the power to do work on [Palm] Treos rather than laptops because they have the OS space and the speed of network to support it," she said. "I think we're going to see viruses and worms and other malware. I think the hype preceded the actual pain. The problem is handheld devices are a much more personal choice than a laptop. IT administrators are faced with a challenge. They can say that nothing's allowed in the company, and savvy users will rig their own devices to get on the network."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Dig Deeper on Enterprise mobile strategy

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.