Smart Phones "Bigger Security Risk" Than Laptops

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

There are other PDAs besides the iPhone

[Anonymous Coward]

So this is not just "iPhone" fear mongering

In fact why is it fear mongering at all.

Do all slashdot submissions have to end in a catchy imbalanced question?

Well.

[alexborges]

On this topic, the thing here is that the web is there to address this problem.

If the execs were forced to go to the website to do anything, then they can do whatever the hell they want with their phone.

Make the tech better, not the people using it

[CorporalKlinger]

I've had a Palm Treo 755p Smartphone for a about 9 months. I have a lot of medical data on my unit, including (unfortunately) some patient data. I've tried to use Palm's "Private Records" feature for sensitive data, but it's too complex and unreliable. Some things that I mark as private show up in the regular views anyway, without needing to be unlocked with a password, even after I try to "lock" them or mark them as "private" multiple times. I doubt they're actually encrypted, either - probably just a bit-flag which only some software on the device reads and uses.

So I tried instead to setup an automatic lock on my device - I figure a power-on password should be fine. I set that up - and unfortunately, even though I set it to auto-lock after 1 hour of non-use, it NEVER asks for the power-on password. I've set it up exactly as Palm's site suggests... it still won't auto-lock the unit.

The thing is that the tech seems to need a fix before we can go about blaming the users. I've never lost a patient file or my phone, but obviously it would be a major problem if something like that did happen. Thankfully, the healthcare system I work for is going to electronic records, so nothing will be stored on my Palm anymore; I'll just use my cell plan to connect to the server (SSL encrypted) and access files wirelessly.

Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data. Someone needs to come up with something better than what's currently available - maybe once it's "expected" - much like a password when you log onto Windows - it won't be such a big deal for people to use it.

Re:Nothing to fear from iPhones

[Idbar]

People with PDAs (I don't know if particularly iPhones), fail to realize that the PDA security is not the problem but the confidence they have that their PDAs can't fall into wrong hands. It doesn't really matter if your PDA is the most secure device against attacks, if something like a phone can be easily lost or stolen and you only have to "slide" your finger to unlock sensitive information.

What use are passwords if you can circumvent them?

[Nuclear Elephant]

> Do you think the passwords execs could remember would help with securing PDAs and smart phones? No, because PDA passwords are easily defeated [zdziarski.com].

Manager types just don't get security

[Opportunist]

A real life example of a job I had a while ago. Security guy at an auditing company for banks. One of the things I had to do was ensure that reports can under no circumstances whatsoever get leaked. I spent the better part of two months locking down servers and creating VPN tunnels to pretty much every bank in the country that we deal with. With foolproof interfaces, point 'n click, so even our auditors could understand it. Double checking that the right document reaches the right bank (because, of course, one of the key security requirements was that no bank may UNDER ANY CIRCUMSTANCES get internal information of other banks). Security was the big thing, and nobody questioned any expense I asked for as long as "for increased security" was somewhere on the application.

Then we had a conference at a hotel. And suddenly one of our top chiefs in charge comes out of the hotel management area with a report. Asking what this is about, I got this information:

He forgot to bring this report along so he asked one of our auditors who had the report to send it. From a different bank. Unencrypted. To the hotel. And he asked the hotel manager to print it.

My question whether he wants to end my life prematurely with a heart attack was met with a blank stare.

Re:IT departments securing handhelds

[dave1791]

> It's possible to lock it all down instead of live in fear.

That is the default position here on /.; that of a sysadmin. My perspective is that of a user. IT is often too insular and unresponsive to the needs of its users. It tends to be bureaucratic and sees everything through the prism of security risks and administration. User workflows are not often adequately addressed. The popularity of Microsoft's sharepoint server is often attributed to departments circumventing central IT. Why would people do this?

For example, it is important in my job to keep abreast of news and blogs in my field. Now I can spend a couple of hours per day manually checking various sources, or I can set up RSS feeds, scan headlines, read deeper where needed and take care of this in 15 minutes. IT had disabled the RSS feed reader in Outlook, so I have to circumvent the way that IT apparently wants me to work. I use an offsite feed aggregator to avoid having to install unauthorized software. My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role.

I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work.

iPhone, because...

[Anonymous Coward]

It's apropos to bring up iPhone because, as far as strictly consumer devices go, the iPhone is the biggest share of the Smartphone market. And, as Apple continues to cannibalize it's iPod market, that share is just getting bigger, bringing people into the market who had not previously owned iPhones.

Now, that's not such a big problem as far as this particular issue (enterprise security) is concerned. What IS a problem is when one of the big mucketty-mucks in the company wants to start using an iPhone instead of a more secure enterprise-quality device, like the Blackberry (#1 device in enterprise messaging). Using an iPhone in the enterprise brings, to use the terminology of a network security expert, a huge shit-storm of security holes.

Feel free to google the subject- bottom line, iPhone has NO security. As the mega-popular "jailbreak" application handily proves. The issue isn't HOW to break an iPhone's security... it's choosing WHICH ONE would be easiest for you to work with.

A skillful hacker can get access to anything and everything on the iPhone. Want to use it as a mobile wiretap? No problem. Look through it's camera? No problem. Download the entire contact list, or install a keylogger, or grab any other information (including credit card numbers) held on the device. Not a problem at all.

And THIS is the kind of thing LUsers want to bring onto the network, and get all whiny when the IT staff tells them no. Personally, I don't care, since my place only gives wireless connections access to the internet (it's completely segregated from the "real" network). However, most places have a network designed by idiots, and those are the places most at risk... and most likely to trash their security in order to accomodate something like iPhone connectivity.

Now as a side point, my workplace is also testing MS ActiveSync, which is supposed to provide connectivity to the iPhone as an enterprise mail client. The tests have been... pretty substandard. We are primarily a Blackberry shop, and if anyone switches from BB to iPhone, they are going to be pretty disappointed if they expect the same level of functionality. Personally, I'll be waiting to get a Blackberry Bold.

Re:There are other PDAs besides the iPhone

[Lumpy]

It's not. It's a note on how executives are the Security hole.

When I worked at Comcast the It department was THREATENED with retaliation and firings if we did not set certain executives blackberry's to not have any passwords. They hated to have to enter passwords and even complained and forced their way to even have their laptops not auto lock the login.

It's these immature executives that are the biggest security hole. And it's not getting better.

They demand to have it their way and will bully everyone including the IT department to do their bidding. And the CTO's at these companies dont have the balls to stand up to the execs and tell them, "you will do what my underlings tell you to do. and you will not fire them or threaten them."

Until then IT departments hands are tied. If you stand up for security you get fired by the first whiney bitch executive that does not want to be bothered with entering a passcode on his blackberry.

Re:Not surprising

[Lumpy]

How about the content of my CEO's phone? We are a 10 man shop. we are worthless then right....

He's got the entire customer contact list. Our competition would pay at least $2500.00 for that.

He's got his email on there, Competition would love that as well.

Also 2 gigs worth of one note files on specific projects being bid on, internal documents ,etc...

I'm betting to the right buyer his phone unlocked is worth at least $10,000.00 as it can generate at least a quarter million in additional sales and revenue.

Oh I know of at least 4 companies around here that would love to get their hands on that info.

gamemaster_bm seems to not know anything about business and the value of insider information. It's worth a crapload to that companies competition.