Androids, iPads, iPhones are creating panoply of corporate risks

By Byron Acohido, USA TODAY, 31May2011, P1B

Companies are grappling with unforeseen security, privacy and legal conundrums introduced by a host of cool mobile devices flooding into the workplace.

Executives eager to sport the hottest tech gear and workers accustomed to mixing social and work activities on the go are multitasking on personally owned mobile devices in record numbers.

Workers are bringing mobile devices to work at such a scale that company security technicians can’t keep up. “It’s an impossible task,” says Patrick Sweeney, product management vice president at network security firm SonicWall. “Control of these devices has become very complex because of the varying software and device types.”

Results of a recent survey of 1,400 technology professionals in 14 nations show 21% of companies have no restrictions on use of personal mobile devices, while 58% have lightweight policies, and only 20% have stringent guidelines. The poll was conducted by security firm McAfee, a division of Intel.

“A lot of organizations have yet to really lock down mobile access,” says Jamie Barnett, McAfee’s senior director of mobility products. “That tells me there is definitely an opportunity for security and compliance gaps.”

An obvious risk: employee-owned smartphones, tablets and e-readers containing work-related materials that turn up missing. Some 40% of organizations responding to McAfee’s survey reported mobile devices lost or stolen, often involving the loss of critical business data.

What’s more, the cyberunderground is adapting hacks and scams — proven to work profitably on desktops and laptops — to Internet-connected mobile devices, says Anup Gosh, founder of Web browser security firm Invincea.

Worldwide smartphone sales are on track to top 467 million units this year, tablet PC sales should approach 70 million, and e-readers, 14.7 million, according to research firm Gartner. Two years ago, smartphone sales rang in at 172 million units, tablets, zero and e-readers, 3 million.

“As mobile devices become a replacement for the desktop computers, the problem of malware (malicious software) will grow significantly on the mobile platform,” says Gosh. “Unfortunately, the security industry has not developed products suitable for battery-constrained mobile devices, which makes it ripe ground for malware writers.”

Underground and legitimate researchers flushed out 163 fresh security holes in mobile operating systems in 2010, compared with 115 in 2009, says Dean Turner global intelligence director for antivirus giant Symantec.

It won’t be long before cyberthieves steal information off mobile memory cards and run networks of corrupted computers from mobile devices, Turner testified at a congressional hearing on cybersecurity threats recently.

They already are creating tainted apps, several of which have surfaced in the Android Market, Google’s official online store, says Kevin Mahaffey, chief technology officer at Lookout Mobile Security.

One recent attack spread corrupted versions of 50 legitimate game and entertainment apps, which were downloaded at least 250,000 times, Mahaffey says.

One attacker recently corrupted 50 different game and entertainment apps which were downloaded at least 250,000 times.  On each infected  handset, the attacker opened a connection to a remote server from which malicious programs could have been embedded in the phone, Mahaffey says.

Of particular concern is location-tracking technology built into the hottest-selling smartphone and tablet models. Roughly one-third of the Web apps available in Android Market and in Apple’s App Store make use of location data that can pinpoint the whereabouts of the device user, says Mahaffey.

But location-tracking introduces unprecedented privacy and legal concerns, says Hugh Thompson, chairman of RSA Conference, the top cybersecurity conference held annually in San Francisco. “Time-bomb may not be the right word, but there certainly are some interesting unintended side effects coming to light,” says Thompson.

A company manager could theoretically track what employees do in off hours and factor that into decisions for bonuses or promotions. Or an aggressive salesman could use location-tracking apps tied to services like popular services like Foursquare and Linked-In to track a rival’s travel schedule. The salesman could then piece together who is rival is making pitches to, then subsequently undercut him, says Thompson.

Currently getting a lot of discussion in legal and privacy circles is a scenario whereby a company gets sued and the court orders data seized from an employee-owned smartphone. “If I get this device I also get access to all this interesting personal data about the employee too,” notes Thompson.

McAfee’s Barnett observes that technology departments are being “asked to offer access to, while manageing and securing, mobile devices in a much faster, more complex way than ever before.”

“In the past we asked IT to issue a company-owned laptop, gave a few privileged users locked-down BlackBerries.” Says Barnett. “Today they’re being asked to accomplish a far greater feat.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone