Feeds

Lax approach to mobile security

People, not technology, to blame

Boost IT visibility and business value

Street-wise? When you're out in public places, there are certain things to do for reasons of personal safety and security, especially in unfamiliar locations. Look before crossing the road. Keep your money and credit cards hidden from view. Destroy credit card chits with copies of signatures to keep them out of the wrong hands. Avoid the large gang of drunken tearaways at midnight, and so on.

But technology does strange things to people's view of security, and expectations alter dramatically. Take PIN numbers on credit and debit cards for instance. Keying in a secret 4 digit code is not automatically more secure than openly writing a complex but only vaguely repeatable line of scrawl (did anyone ever really check them anyway?), and certainly not very secure when the secret code is shared. The technology does not make things more secure, but the process, and the way the PIN is kept closed and private, can.

When money is lost from an account, consumers immediately assume a bank error and rarely believe it is their fault, whereas banks act as if they only ever lose money through fraud. There are instances when the extreme views at either end are correct, but most often the truth will lie somewhere in the middle. Partly, security is the responsibility of the banks or issuing authorities and the way they deal with the retailer, and partly it is down to the individual card holder - a shared responsibility.

Keypads and screens have to be large enough to use and see, and that makes it easier to be seen by others. So the right thing to do as a minimum is destroy the PIN confirmation upon arrival, not write the PIN down on a piece of paper that others might see, and shield the keypad from view during usage.

Moving from personal security and one's own valuables, to those entrusted to employees by their employers, and the view of responsibility is still shared, but the reality shifts somewhat. This is particularly true for the attitudes of the users of various types of mobile devices. According to a recent Quocirca survey of over 2000 IT professionals, almost three quarters think there is a shared responsibility for keeping a mobile device safe and secure, but the attitude of users is best characterised as "irresponsible" by almost half of those in IT management who responded to the survey.

What has led to this perception, and have mobile users always been irresponsible?

At one time business users would cup their hand to their mouth as they spoke potentially sensitive information into a mobile phone in a public place. There were even aftermarket products to shield the mouth area from view. Today, not only are conversations engaged, even in the most crowded areas, but sensitive information can be heard on almost any train or city centre bus. Personal information might be regarded as non-confidential and shared this way, but commercial information should be better protected.

The picture is no better with a mobile computer. As screen brightness has improved, and viewing angles widened, not only does the user get a better view, but so does anyone else around. It probably isn't a huge problem for much of the information, but most businesses would still prefer it not to be shared. When we researched mobile security issues just under a year ago, two thirds of IT professionals rated data falling into the wrong hands by theft or loss of a device as the most important mobile security issue.

Snooping is only one way some information may be lost or accidentally disclosed, but it is indicative of a casual approach from the mobile user, which spills out into how they then look after the device as well as the data on it.

In some respects, the smart handheld devices - PDAs, BlackBerries and so on - are more discrete. Private messages can be sent as emails, rather than bellowed in earshot of passers-by, the screen can be angled from prying eyes to keep sensitive information private, and with suitable device management software, the device can be remotely backed-up, wiped of data and completely disabled.

Here too, however, the technology is not the issue, it's the people and processes. Smaller devices seem to be easier to mislay than larger ones, and according to our research, too many companies leave smart handheld security in the hands of the user, or treat it as less important than that of laptops. The potential privacy gains are eroded by a lax approach.

A change in attitude is needed, and this has to come from the top. Mobile security needs to be spelled out in policies and supported by appropriate technologies, but ultimately it is everyone's responsibility to behave securely and professionally to protect business assets.

Are your mobile phones and PDAs protected by a PIN? Is it the same one as your credit card? Oh dear.

Copyright © 2006, IT-Analysis.com

Rob Bamforth is a principal analyst working with Quocirca Ltd, focusing on the areas of service provision and mobility.

Securing Web Applications Made Simple and Scalable

More from The Register

next story
Brit celebs' homes VANISH from Google's Street View
Tony Blair's digs now a Tone-y Blur
German government orders local CIA station chief to pack his bags
Sour Krauts arrest second local in domestic spy ring probe
Snowden leaks latest: NSA, FBI g-men spied on Muslim-American chiefs
US Navy veteran? Lawmaker? Academic? You're all POTENTIAL TERRORISTS
LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more
First cross-platform version of cleaned-up OpenSSL fork
UK's emergency data slurp: IT giants panicked over 'legal uncertainty'
PM says rushed-through DRIP law will 'plug holes' in existing legislation
Russian MP fears US Secret Service cuffed his son for Snowden swap
Seleznev Jnr is 'prolific trafficker in stolen credit card data', it is alleged
Teensy card skimmers found in gullets of ATMs
Hi-tech fraudsters treading more softly, but gas still yielding bang for buck
Weaponised Flash flaw can pinch just about anything from anywhere
This is a 'patch now or regret it sooner-rather-than-later' mess for you and webmasters
Victim of Tor-hidden revenge smut site sues Tor Project developers
But EFF lawyer says deep-web team 'no more liable' than web server makers
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximizing your infrastructure through virtualization
Virtualization continues to be one of the most effective ways to consolidate, reduce cost, and make data centers more efficient.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.