"Peripheral devices on the network may have capabilities the business doesn't know of," says Kevin Brown, delivery manager for custom testing at security assessment firm ICSA. "And those capabilities can create security vulnerabilities."
It’s how you manage the use of your mobile devices. Factors such as design flaws and architecture of the mobile device make it the greatest threat to your organization today.
Let’s take a closer look as to why your smartphone is not so smart for the enterprise.
1. Some manufacturers refuse to implement security application on the mobile device since it is a cost prohibitive move.
2. The memory space in the stack gives root access to your mobile device.
3. The plethora of “free” copies of popular apps available for download laced with insidious spyware.
4. The Geo-location capabilities on handhelds gives attackers access to sensitive information.
Now let’s look at the anatomy of an attack:
- The user is tricked into installing the malware.
- This gives the attacker the ability to structure the attack.
- Attackers can build their attacks in such a way as to know if you have access to sensitive facilities based on geo-location data.
So does your company truly comprehend this threat?
“This is why products like RIM’s BlackBerry Enterprise Server and antivirus software for mobile devices are so important. Although a lot of companies are moving away from RIM’s BES because of costs (both in hardware and software), BES offers 450 security policies (35 in the free Express version) that can be applied to users’ devices.
Microsoft Exchange 2007 only supports 29 policies (which has been increased to 45 in Exchange 2010), and half of those polices require an Exchange Enterprise Client Access License (CAL), which most organizations do not purchase. And with the addition of so many hardware vendors (Apple’s iPhone, Google, Palm WebOS, etc.) licensing Microsoft’s ActiveSync, not all those vendors support all of those policies or sometimes don’t even divulge which policies they support and which they do not.
This is a hot topic as many organizations are required by either federal or state laws to have device encryption enabled on all mobile devices in the event that they are lost or stolen.
Even though additional software and sometimes hardware is required to secure organizations ever growing mobile workers, they are a necessity. Smaller organizations may not think that this is an issue, until one of their employees loses their mobile phone with sensitive company data or personal information on it.”