Feeds

Lax approach to mobile security

People, not technology, to blame

Secure remote control for conventional and virtual desktops

Street-wise? When you're out in public places, there are certain things to do for reasons of personal safety and security, especially in unfamiliar locations. Look before crossing the road. Keep your money and credit cards hidden from view. Destroy credit card chits with copies of signatures to keep them out of the wrong hands. Avoid the large gang of drunken tearaways at midnight, and so on.

But technology does strange things to people's view of security, and expectations alter dramatically. Take PIN numbers on credit and debit cards for instance. Keying in a secret 4 digit code is not automatically more secure than openly writing a complex but only vaguely repeatable line of scrawl (did anyone ever really check them anyway?), and certainly not very secure when the secret code is shared. The technology does not make things more secure, but the process, and the way the PIN is kept closed and private, can.

When money is lost from an account, consumers immediately assume a bank error and rarely believe it is their fault, whereas banks act as if they only ever lose money through fraud. There are instances when the extreme views at either end are correct, but most often the truth will lie somewhere in the middle. Partly, security is the responsibility of the banks or issuing authorities and the way they deal with the retailer, and partly it is down to the individual card holder - a shared responsibility.

Keypads and screens have to be large enough to use and see, and that makes it easier to be seen by others. So the right thing to do as a minimum is destroy the PIN confirmation upon arrival, not write the PIN down on a piece of paper that others might see, and shield the keypad from view during usage.

Moving from personal security and one's own valuables, to those entrusted to employees by their employers, and the view of responsibility is still shared, but the reality shifts somewhat. This is particularly true for the attitudes of the users of various types of mobile devices. According to a recent Quocirca survey of over 2000 IT professionals, almost three quarters think there is a shared responsibility for keeping a mobile device safe and secure, but the attitude of users is best characterised as "irresponsible" by almost half of those in IT management who responded to the survey.

What has led to this perception, and have mobile users always been irresponsible?

At one time business users would cup their hand to their mouth as they spoke potentially sensitive information into a mobile phone in a public place. There were even aftermarket products to shield the mouth area from view. Today, not only are conversations engaged, even in the most crowded areas, but sensitive information can be heard on almost any train or city centre bus. Personal information might be regarded as non-confidential and shared this way, but commercial information should be better protected.

The picture is no better with a mobile computer. As screen brightness has improved, and viewing angles widened, not only does the user get a better view, but so does anyone else around. It probably isn't a huge problem for much of the information, but most businesses would still prefer it not to be shared. When we researched mobile security issues just under a year ago, two thirds of IT professionals rated data falling into the wrong hands by theft or loss of a device as the most important mobile security issue.

Snooping is only one way some information may be lost or accidentally disclosed, but it is indicative of a casual approach from the mobile user, which spills out into how they then look after the device as well as the data on it.

In some respects, the smart handheld devices - PDAs, BlackBerries and so on - are more discrete. Private messages can be sent as emails, rather than bellowed in earshot of passers-by, the screen can be angled from prying eyes to keep sensitive information private, and with suitable device management software, the device can be remotely backed-up, wiped of data and completely disabled.

Here too, however, the technology is not the issue, it's the people and processes. Smaller devices seem to be easier to mislay than larger ones, and according to our research, too many companies leave smart handheld security in the hands of the user, or treat it as less important than that of laptops. The potential privacy gains are eroded by a lax approach.

A change in attitude is needed, and this has to come from the top. Mobile security needs to be spelled out in policies and supported by appropriate technologies, but ultimately it is everyone's responsibility to behave securely and professionally to protect business assets.

Are your mobile phones and PDAs protected by a PIN? Is it the same one as your credit card? Oh dear.

Copyright © 2006, IT-Analysis.com

Rob Bamforth is a principal analyst working with Quocirca Ltd, focusing on the areas of service provision and mobility.

Secure remote control for conventional and virtual desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.