Smart Phones "Bigger Security Risk" Than Laptops

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

Nothing to fear from iPhones

[Anonymous Coward]

iPhones are extremely secure against attack, and most definitely via remote. This article sounds like its by people have never seen an iPhone and assume they are just as insecure as anything else out there. Its simple, if its not the iPhone authorized user, the data on it will not be able to be accessed.

Not surprising

[grizdog]

Usually there is a tension between security and convenience/ease of use. Convenience is going to be paramount for most users of mobile phones, PDAs, etc. So security will typically take a hit.

Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.

IT departments securing handhelds

[samkass]

The only handhelds allowed to connect to our corporate network are company issued ones, and they come locked down so you have to enter a password after a few minutes of inactivity to do anything except answer the phone. Our laptops come with the whole-disk encryption pre-installed. All external web access goes through the company proxy.

It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

Cell phone security

[Sigma 7]

The cell phone I have has one level of protection - a PIN number that only needs to be entered when it turns on. As long as it's on, you can do anything you want with it, including modifying content or planting evidence. In addition, you can still access content on the phone by attaching it to a computer (without any need to enter a pin.)

As a result, I'm not storing any sensitive information on the phone.

The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.

If you have physical access

[s4ltyd0g]

It's pretty much a done deal. Keep sensitive data on a small device and if you lose it, assume it's compromised. Password or not.

regards

Re:Not surprising

[gamemaster_bm]

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's. Laptops I can understand needing additional security if it is used as a workstation, but convenience for the average executive outweighs the potential security risk. What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly.

Not worth protecting

[Darkness404]

Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting

And honestly, a lot of them could be right in that it wasn't worth protecting. For example, what percentage of documents are really needed to be secret for a company's existence? My guess is about .001% is. From where I have worked and what I have seen most of the documents are simply letters, forms, etc. and not Our_Credit_Card_Numbers.doc or All_Employee_SSN.xls. So for most people, most small businesses, most employees, the information isn't really worth protecting. Now, if you are say, a bank, the information is more valuable then say a restaurant or a factory's info, but for the average employee with a laptop, most of the documents if not all of the documents are free of personal information or company secrets. Chances are some guy with a packet sniffer will get more information off of a laptop then a thief taking it and reading the documents.

analog hole

[Gothmolly]

I can't carry an iPhone, but I can bring home a file folder full of secrets.
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.

Build a better mousetrap, and some management school out there will produce a stupider monkey.

Looking forward to two stage Cell/PDA encryption

[kandresen]

I have been wondering about when I would be able to encrypt my cells and pda's the way I encrypt my other data. There is a problem however - the phone must be on in order to get calls... That means the system password is mostly always already in use and thus making it very easy to obtain by cooling down and picking out the RAM and use a card reader.

So I am hoping for a two stage system where call logs, full content of my address book, notes, calendar and so on is stored and encrypted separately from basic parts of the system. Incoming calls logs could then be stored in a temporary mode until I enter my storage password in which moment I would get access to the secure data using a separate password.

There are of course problems here too - notifications of upcoming calendar events, and displaying name/number association for incoming calls, among other issues. It will be necessary to allow personal choice for what should be cached outside of secure memory, but I certainly look forward to having a more secure options for Cells and PDA's!

Re:Not surprising

[blincoln]

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's.

The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?

Re:Not surprising

[geekmux]

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones... What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly.

Er, contacts, sensitive emails, HR data, IP, financial data, contracts, just what exactly does your average CxO NOT deal in? Give me a break man, I mean hell, would YOU hand over YOUR smart phone to a stranger and not think twice about it? Your opinion on the value of data pretty much says it all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one...

PDAvailable

[hyades1]

Come on, now. If the information's on a PDA, anybody with the IT version of a bent paperclip will be able to get it.

What's the first security rule for a PC: If they have physical access to your computer, your data is theirs. I would bet my bottom dollar that 90% of the security problems concerning a PDA result from exactly that: loss of physical control of the device.

Re:Nothing to fear from iPhones

[Achromatic1978]

What a complete and total arse you are. How is the iPhone magically more secure than any other phone if it is stolen (a large part of what the article is about).

How is the iPhone magically invulnerable to wireless issues, as the sister post describes.

Another fanboy, "Oh no! Someone's perhaps saying something potentially negative about an Apple product! Must rush to defense!"

Re:Make the tech better, not the people using it

[CorporalKlinger]

Reprehensibly lax? You'd be surprised how insufficient most healthcare systems are when it comes to securing patient privacy. The extent of HIPAA at some hospitals involves ensuring that the clipboard cover of a patient's chart is closed when visitors or guests walk past - though there's nothing to stop those visitors from picking up the file and looking in it while nobody at the clerk station is paying attention.

The point here is that healthcare records are going electronic. I'm required to have OB/GYN notes for patients on me at the drop of a hat in case a delivery comes through the ER doors at 2 in the morning. When I'm heading to a patient's home for a visit (yes, some of us still do visit patients' homes!), it's far more convenient - and safer - for me to have their phone number and chart on my Smartphone than to print out their chart and bring a paper copy to their house. What happens if I am in a car accident and the file is stolen in the mix of the accident? What happens if someone breaks into my vehicle and I have other patient files kept there for other visits that I plan to do during the day (which I can't bring into the home and expose to the patient I'm seeing - again, HIPAA).

It's far more simple to have records stored in one SECURE place, but not every component of that device is secure. I haven't heard of any HanDBase hacks yet - I'm sure they're out there in the wild - but I haven't heard of them. Still, that leaves other information open to use an exploitation. HanDBase doesn't integrate well with the phone system; you can't even copy and paste a phone number for a patient from HanDBase into the phone application on my SmartPhone - so do I write it down? Do I try to remember the phone number and risk dialing a wrong number and giving my patient's name to some unknown person on the other end of the line when I ask for them (especially since I'm usually doing about 2 dozen things at a time) - or do I store the numbers of the patients I call most often in the address book and simply tap "call" next to their name when I need to contact them?

You lack a basic understanding of the workload placed on healthcare professionals and the impracticality of using a centralized computer system for everything. Thank goodness our health network is going wireless so docs can continue using their phones - which have become invaluable in improving patient care - and use them safely through encrypted data connections back to the hospital data center. You act as though storing a few patient files on a phone is some sort of sin; you give me a better way to have the exact prescriptions, doses, surgical and medical histories, etc. on every patient at my fingertips when I'm called to the ER to see one of my patients and the hospital's computer system is down or the record can't be found in the system because of reason X, Y, or Z. FIX THE TECH. The people want to USE the tech and use it responsibly, but if the technology isn't repaired FIRST, then the expectations placed on practitioners to go paperless are placing everyone at risk.

I'm describing the problem - it needs a solution. If you don't have one, I suggest you put your fingers in your ears instead of on your keyboard.

Re:Fortunately, we use blackberries!

[Opportunist]

So far the theory.

Now, let's see who uses Blackberries. Managers. Who makes security guidelines? Managers. Who have usually little to no technical skills and loathe everything that keeps them from "just using" stuff? Managers.

I wish you all the luck in the world to convince your managers that those security features are a good idea.

It goes hand in hand

[Opportunist]

Security is a minimum of the system's capability and the user's capability. You can have the most secure system, with a moron on the helm it is easily compromised. If nothing else works, you can rest assured that he will simply hand over all the necessary information to his attacker himself.

Security is a matter of improving technology and training your staff. Doing just one of them will not increase your security past the more insecure one of them.

Re:Not surprising

[garett_spencley]

"What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly."

"all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one..."

Jesus H. ... who to trust ? On the one hand GP makes a good point and on the other P makes a good one.

If only life were simpler ...

Ha!HA!Ha!

[rts008]

Security?
There is none.
Cell phone users don't seem to care who is around (in listening distance to their conversations) so SECURITY is a moot point!
I have experienced this while working as a cashier at a local "shit and get" store. Most people are so caught up in their 'own little cellphone world' that they forget about anyone around them.
Most people are so jaded about their surroundings while talking on cellphones that IT security does not even enter the picture.

I get so tired of it that I usually toss them out until they finish their conversation.
Basically, have the respect and courtesy to deal with me and your purchase, or get the fsck out. I don't want to be subjected to your phone conversation. Deal with it.

Yet another AC here.

[Anonymous Coward]

Who has access to the information? The employee.
Who knows what information to get? The employee.
Who has the password? The employee.

Besides the PEBKAC, most company compromises are done.... through the employee.

Re:IT departments securing handhelds

[turbidostato]

"That is the default position here on /.; that of a sysadmin. My perspective is that of a user. IT is often too insular and unresponsive to the needs of its users."

I'm on IT and I have to tell you some two things:
1) I'm a user as much as a sysadmin, or what did you think? So please consider I do see it from both perspectives: that of the sysadmin I am and that of the user I am too so it might be, just from this assertion only that I'm on a more relevant position regarding this issue than you.
2) More often than not, IT is not insular nor unresponsive, since it holds no power to do one way or the other. Just like in everything else is management the one that provides strategies and objectives that IT just put in practice. More times than not, it is not IT the one that will cut you off your RSS feed but a manager that told that "all that lost time blogging and what-not must finish" being IT just the executory arm.

There is a time where IT is really unresponsive and that's when, as usual, IT is heavily understaffed and overburdened and holding all responsibility for "IT matters" instead of ask for employee's matureness: when somebody loses a check supposed to be taken to a bank office it's the employee responsibility for not being cautious enough; when his PC is flowed with worms because he was at goatse on office time it's an IT problem more times than not. In the end, if the employee visits goatse is IT's fault but if -as expected, trying to cope with HR problems via technical solutions affects somebody's productivity it's IT's fault too!

"My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role"

You forget that most probably is you boss the one that asked directly or indirectly for your RSS feeds to be cut off and it's your boss direct or indirectly the one responsible for asking contradictory efforts to different parts of the company's staff. On the other hand you too are a bit at fault: "my having to circumvent IT..." Would you dare to circumvent the beancounters so you can get your stuff for a given project faster? Would you dare to think you surely see the "whole picture" regarding your company financials better than the beancounters so it's in your company's overall best interest for you to circumvent financial policies and procedures?

"I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work."

And you are probably right at that. But do you really think it's IT the one that decided not to spend the effort, time and money for such interview?