Feeds

Lax approach to mobile security

People, not technology, to blame

The Power of One eBook: Top reasons to choose HP BladeSystem

Street-wise? When you're out in public places, there are certain things to do for reasons of personal safety and security, especially in unfamiliar locations. Look before crossing the road. Keep your money and credit cards hidden from view. Destroy credit card chits with copies of signatures to keep them out of the wrong hands. Avoid the large gang of drunken tearaways at midnight, and so on.

But technology does strange things to people's view of security, and expectations alter dramatically. Take PIN numbers on credit and debit cards for instance. Keying in a secret 4 digit code is not automatically more secure than openly writing a complex but only vaguely repeatable line of scrawl (did anyone ever really check them anyway?), and certainly not very secure when the secret code is shared. The technology does not make things more secure, but the process, and the way the PIN is kept closed and private, can.

When money is lost from an account, consumers immediately assume a bank error and rarely believe it is their fault, whereas banks act as if they only ever lose money through fraud. There are instances when the extreme views at either end are correct, but most often the truth will lie somewhere in the middle. Partly, security is the responsibility of the banks or issuing authorities and the way they deal with the retailer, and partly it is down to the individual card holder - a shared responsibility.

Keypads and screens have to be large enough to use and see, and that makes it easier to be seen by others. So the right thing to do as a minimum is destroy the PIN confirmation upon arrival, not write the PIN down on a piece of paper that others might see, and shield the keypad from view during usage.

Moving from personal security and one's own valuables, to those entrusted to employees by their employers, and the view of responsibility is still shared, but the reality shifts somewhat. This is particularly true for the attitudes of the users of various types of mobile devices. According to a recent Quocirca survey of over 2000 IT professionals, almost three quarters think there is a shared responsibility for keeping a mobile device safe and secure, but the attitude of users is best characterised as "irresponsible" by almost half of those in IT management who responded to the survey.

What has led to this perception, and have mobile users always been irresponsible?

At one time business users would cup their hand to their mouth as they spoke potentially sensitive information into a mobile phone in a public place. There were even aftermarket products to shield the mouth area from view. Today, not only are conversations engaged, even in the most crowded areas, but sensitive information can be heard on almost any train or city centre bus. Personal information might be regarded as non-confidential and shared this way, but commercial information should be better protected.

The picture is no better with a mobile computer. As screen brightness has improved, and viewing angles widened, not only does the user get a better view, but so does anyone else around. It probably isn't a huge problem for much of the information, but most businesses would still prefer it not to be shared. When we researched mobile security issues just under a year ago, two thirds of IT professionals rated data falling into the wrong hands by theft or loss of a device as the most important mobile security issue.

Snooping is only one way some information may be lost or accidentally disclosed, but it is indicative of a casual approach from the mobile user, which spills out into how they then look after the device as well as the data on it.

In some respects, the smart handheld devices - PDAs, BlackBerries and so on - are more discrete. Private messages can be sent as emails, rather than bellowed in earshot of passers-by, the screen can be angled from prying eyes to keep sensitive information private, and with suitable device management software, the device can be remotely backed-up, wiped of data and completely disabled.

Here too, however, the technology is not the issue, it's the people and processes. Smaller devices seem to be easier to mislay than larger ones, and according to our research, too many companies leave smart handheld security in the hands of the user, or treat it as less important than that of laptops. The potential privacy gains are eroded by a lax approach.

A change in attitude is needed, and this has to come from the top. Mobile security needs to be spelled out in policies and supported by appropriate technologies, but ultimately it is everyone's responsibility to behave securely and professionally to protect business assets.

Are your mobile phones and PDAs protected by a PIN? Is it the same one as your credit card? Oh dear.

Copyright © 2006, IT-Analysis.com

Rob Bamforth is a principal analyst working with Quocirca Ltd, focusing on the areas of service provision and mobility.

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.