Selling security: Scaremongering or sound argument?

Selling security: Scaremongering or sound argument?

David Ginsburg, product manager Innopath
David Ginsburg, product manager Innopath

The PC and the mobile phone are still a long way apart in technology, capability and use – but they’re getting closer by the minute. If mobiles look and work like computers, it seems logical to assume that they’ll start suffering the same problems as computers. And that could be Real Soon Now … But there’s a widespread perception that talk of mobile phone viruses, bluejacking, text spam and phishing is engineered to sell unnecessary add-ons such as anti-virus software and remote handset management. The truth probably lies somewhere in the middle – but where should we strike the balance? And what are the implications for resellers in the mobile space?

First things first: everyone agrees that up to now there have been very few outright attacks on mobile devices. But the consensus is that things are

changing

Todd Thiemann, Director of Device Security Marketing at Trend Micro says the threat of mobile malware has been at the ‘proof of concept’ stage to date, meaning that cyber criminals are testing the waters to see what is possible. But the dangers will “probably” grow as the number of smartphones increases.

“It is currently much easier to make an illicit profit with PC malware, but this is likely to change in the future as unit volume shipments of mobile phones are now growing at a faster rate than PCs.” In short – “it will soon be the case that mobiles offer a much larger target than PCs”.

Dr Guy Bunker of another anti-malware developer, Symantec, agrees. He says criminals only spend their time attacking the most ‘popular’ systems – . “why bother to spend time and effort writing an exploit for something that only has a small percentage of target systems?”

But the opportunities are there, and growing. “Mobile phones now hold information on individuals’ bank accounts, credit cards, usernames, passwords and all sorts of other interesting information – not just people and their telephone numbers.

“Internet access (and for many it is always on) means people do their banking and shopping on their phones.”

And of course there’s a real business dimension too. Jason Langridge, UK Mobility Business Manager at Microsoft’s Mobile arm, points out that “mobile devices are fast becoming the de facto way of doing business”. As a result, “confidential data and company Intellectual Property are often stored on a mobile”.

So the sensitive information is going to be there on the device. But additionally, the mobile web provides an obvious attack vector for criminals – an always-on connection, especially via WiFi or the web, provides a ready route into the handset.

As Andrew Bradshaw, VP of Sophos UK, puts it: “The network as we know it is changing … We are also seeing a shift in malware. Data theft is big business, and we are seeing even PCI-compliant companies losing data to clever fraudsters.”

And criminal malware isn’t the only issue. Gareth Maclachlan, COO at AdaptiveMobile, notes the statistical reality that more than 80% of phone users worldwide have received spam on their mobile phone; “the average tier-one mobile operator cleanses approximately 90,000 viruses each day, and some users are unwittingly sending up to 200 MMS [spam messages] per day.

“While some of these attacks are commercially focused, the others are threatening or offensive. Either way, they are unwelcome and intrusive and need dealing with.”

He also makes the point that by their nature businesses are vulnerable to mobile security threats. “Procurement will tend to buy large numbers of similar phone models— which makes it easier for viruses to spread. Shared contact lists are an obvious step for an organisation that wants to save its employees time, but it also makes people more likely to open potentially infected MMS or trust SMS from people in their address book.“

And here’s a telling one: “most business users never see their phone bill, so will never query the additional charges that may be the result of a security breach, giving fraudsters the opportunity to make more money undetected over a longer period of time.”

 

The dangers

Trend Micro’s Todd Thiemann says the major threats to business users today come in two forms: malware and physical loss. “The most widespread of these attacks are the loss or theft of devices that may contain sensitive information such as trade secrets of intellectual property. An In-Stat analyst recently estimated that 700,000 Smartphones were lost or stolen in 2007.”

Guy Bunker of Symantec adds: “Companies lose around 5% of their laptops per year—and you are 22 times more likely to lose a mobile device than a laptop!”

But the mobile malware threat is growing, and it’s getting pretty clever. “One example we have seen recently is greyware, a type of mobile malware that can be used for spying on unsuspecting users. Although this may be for legitimate purposes in some regions, it can also be used for the illicit monitoring or spying on SMS traffic.”

Gareth Maclachlan and AdaptiveMobile take a broader view. “Mobile telephony is a very private medium of communication, and therein lies the danger. At the individual user level, the threats lie in unwanted and inappropriate content including SMS and MMS spam, pornography, illicit or even illegal content.”

And organisations have a broad responsibility here. “Threats such as cyber-bulling that are becoming a growing social problem are also prominent in the corporate world, especially as the proportion of company communications conducted through mobile devices continues to increase. According to the Dignity at Work Partnership, 6.2% of UK employees have been bullied via a text message and almost 9% believe that cyber-bullying is a problem in their current organisation.“

Spam is going through the roof, too. Recent YouGov research for Cloudmark has shown that 66% of UK mobile phone users have been victims of spam, with the number of 18 to 24 year olds targeted as high as 75%.

The survey which explored experiences and attitudes towards mobile spam found that the service providers are going to be the ultimate victims as 28% of consumers blame their operator for unwanted communications and 44% would consider changing network because of mobile spam. This figure rises to 65% as soon as the frequency of unwanted messages hits one or more a month.

In addition, there are data protection issues and industry-specific regulations that need to be borne in mind. “For example, the FSA is proposing that both MiFID (Markets in Financial Instruments Directive, a regulatory regime to increase competition and consumer protection in investment services) and non- MiFID compliance companies should record certain telephone conversations for regulatory purposes, as a measure to assist in preventing fraud. Undoubtedly, business conducted via mobile phones will also be affected.

“Further, PCI compliance will come into play for organisations, especially retailers, as mobile payments become more widespread.”

 

Response

So how should malware and similar threats be countered? Well, it all depends on where you stand – or rather, where you make your money.

AdaptiveMobile sells an operator-oriented solution, so it’s no surprise that Gareth Maclachlan sees the solution at the operator’s end. “For mobile security to be truly effective, personal and corporate mobile users alike are therefore dependent on their mobile network operator to manage these unwanted communications, at the network level.”

He makes the point that mobile needs a specific type of response. “Unfortunately, traditional PC network security cannot be transferred to the mobile world, where the challenges are very different and more complex.

“For instance, spam filters don’t work for SMS and MMS as they do on emails. Also, the threats in the mobile space are not usually traditional viruses, which are designed to be highly virulent and so easily detected. Instead, rogue applications and even incorrectly written applications can cause significant havoc, but do not meet the PC vendors’ definition of viruses, and so are excluded from their AV clients.“

Sophos sells into business and so sees the significant role as being the end-user’s: “While it is true that only a smart proportion of data is being stolen from non-computer devices, it would be wise to ensure that a companywide policy as to their use is in place.

“Data theft can be as easy as stealing someone’s USB stick or username and password. Think of Single Sign-On, for instance, which will give access to all your applications in one go. The wrong person getting a hold of that has access to all the data you are allowed access to, without any further barriers.”

His solution: restrict the type of mobile device given to users. “Only allow devices you can prove give you an added business benefit. Then make sure the users are educated as to what can go wrong and make sure the information the device can access is as secure as possible. And consider having application control. Certain applications have a business use and are appropriate; others are not – disallowing these will lower the security risks while increasing productivity.”

More specifically, there’s a real need for user awareness and education. Andrew Bradshaw, VP of Sophos UK, reckons the user is actually the biggest single risk here. “The ignorant user—that is, one that has not been educated on acceptable behaviour in terms of password use, appropriate application use, the important of security, etc—is at much greater risk than someone who understand the risk and the actions they should take should something go wrong.

Jason Langridge of Microsoft agrees: “First and foremost, end user education is key. Employees need to understand that a mobile phone can potentially be a gateway to a company’s confidential information, whether it be leaving a mobile phone in a taxi or failing to implement a secure password, employees need to be aware of the potential consequences if a device falls in to the wrong hands or is compromised in some way.

“For businesses it is key to ensure employee mobile phones are managed securely, in particular phones that are being in brought in through the back door, owned by staff but used for work purposes.” This is where one of his products—Microsoft’s System Center Mobile Device Manager—comes in. This is a management platform that is compatible with the recently announced Windows Mobile 6.1; it should enable the IT department to protect sensitive information by encrypting the device, remotely wipe devices and also provide secure remote access to applications inside the corporate network.

 

What to sell

Dr Guy Bunker, Symantec
Dr Guy Bunker, Symantec
 

How to sell

User education is the principal requirement. That of course means the seller has to be aware of all the issues – including the danger of scaremongering. A realistic assessment of the scale of threats around the mobile phone is necessary.

As Andrew Bradshaw says: “A reseller who is knowledgeable about security risks and can properly assess the level of risk involved can add significant value to a customer. Again, preventive measures are much more cost effective, both in terms of financial and resource investment as well as in return business, than reactive measures.

Security can be part of the productivity argument, and should be emphasised as one aspect of a wider device management solution. “Resellers can point out the potential for improving productivity through mobilizing applications, be it push email, customer relationship management, enterprise resource planning,

Todd Thiemann, Director of Device Security
Todd Thiemann, Director of Device Security Marketing, Trend Micro

or field service automation,” says Todd Thiemann of Trend Micro. “Resellers should also point out and address the issues involved in ensuring that these devices are secured properly.”

In short, “the issue of mobile security is a relatively new one for customers and the reseller can act as an advisor as enterprises grapple with how to leverage smartphone technology, whilst ensuring the information kept on their devices is kept safe.

David Ginsburg, product manager for InnoPath, thinks the smartphone user should mandate the same protection as on a PC, especially if they are using the device for email and browsing. “At present, this is post-sale in the operator, where the user is expected to find and install the solution. It is not heavily marketed. This should change with the operator considering it a network deployment. On the enterprise side, I think they understand the problem, and where they are asking operators for EDM services, they are mandating this protection.

Bradshaw reckons resellers should also be educating themselves on the Network Access Control market. “This is a big growth area and one which has many strengths in helping secure the network from potential risks. Its policy implementations can help administrators stay on top of their network and stay informed on what is trying to access the network but is posing a risk. Not only does it prevent access to non-compliant systems, it also reports any findings to administrators.

“Resellers can also talk to anti-virus for mobile devices, especially when speaking to businesses. As many phone can synchronise with the network, it is vital that they do not introduce any risk.”