Feeds

Lax approach to mobile security

People, not technology, to blame

Security for virtualized datacentres

Street-wise? When you're out in public places, there are certain things to do for reasons of personal safety and security, especially in unfamiliar locations. Look before crossing the road. Keep your money and credit cards hidden from view. Destroy credit card chits with copies of signatures to keep them out of the wrong hands. Avoid the large gang of drunken tearaways at midnight, and so on.

But technology does strange things to people's view of security, and expectations alter dramatically. Take PIN numbers on credit and debit cards for instance. Keying in a secret 4 digit code is not automatically more secure than openly writing a complex but only vaguely repeatable line of scrawl (did anyone ever really check them anyway?), and certainly not very secure when the secret code is shared. The technology does not make things more secure, but the process, and the way the PIN is kept closed and private, can.

When money is lost from an account, consumers immediately assume a bank error and rarely believe it is their fault, whereas banks act as if they only ever lose money through fraud. There are instances when the extreme views at either end are correct, but most often the truth will lie somewhere in the middle. Partly, security is the responsibility of the banks or issuing authorities and the way they deal with the retailer, and partly it is down to the individual card holder - a shared responsibility.

Keypads and screens have to be large enough to use and see, and that makes it easier to be seen by others. So the right thing to do as a minimum is destroy the PIN confirmation upon arrival, not write the PIN down on a piece of paper that others might see, and shield the keypad from view during usage.

Moving from personal security and one's own valuables, to those entrusted to employees by their employers, and the view of responsibility is still shared, but the reality shifts somewhat. This is particularly true for the attitudes of the users of various types of mobile devices. According to a recent Quocirca survey of over 2000 IT professionals, almost three quarters think there is a shared responsibility for keeping a mobile device safe and secure, but the attitude of users is best characterised as "irresponsible" by almost half of those in IT management who responded to the survey.

What has led to this perception, and have mobile users always been irresponsible?

At one time business users would cup their hand to their mouth as they spoke potentially sensitive information into a mobile phone in a public place. There were even aftermarket products to shield the mouth area from view. Today, not only are conversations engaged, even in the most crowded areas, but sensitive information can be heard on almost any train or city centre bus. Personal information might be regarded as non-confidential and shared this way, but commercial information should be better protected.

The picture is no better with a mobile computer. As screen brightness has improved, and viewing angles widened, not only does the user get a better view, but so does anyone else around. It probably isn't a huge problem for much of the information, but most businesses would still prefer it not to be shared. When we researched mobile security issues just under a year ago, two thirds of IT professionals rated data falling into the wrong hands by theft or loss of a device as the most important mobile security issue.

Snooping is only one way some information may be lost or accidentally disclosed, but it is indicative of a casual approach from the mobile user, which spills out into how they then look after the device as well as the data on it.

In some respects, the smart handheld devices - PDAs, BlackBerries and so on - are more discrete. Private messages can be sent as emails, rather than bellowed in earshot of passers-by, the screen can be angled from prying eyes to keep sensitive information private, and with suitable device management software, the device can be remotely backed-up, wiped of data and completely disabled.

Here too, however, the technology is not the issue, it's the people and processes. Smaller devices seem to be easier to mislay than larger ones, and according to our research, too many companies leave smart handheld security in the hands of the user, or treat it as less important than that of laptops. The potential privacy gains are eroded by a lax approach.

A change in attitude is needed, and this has to come from the top. Mobile security needs to be spelled out in policies and supported by appropriate technologies, but ultimately it is everyone's responsibility to behave securely and professionally to protect business assets.

Are your mobile phones and PDAs protected by a PIN? Is it the same one as your credit card? Oh dear.

Copyright © 2006, IT-Analysis.com

Rob Bamforth is a principal analyst working with Quocirca Ltd, focusing on the areas of service provision and mobility.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.