Companies Spooked About Smart Phone Security

Economist

Sponsored by Cupertino, Calif.-based Symantec, the study showed that enterprises use the security excuse more than any other for not rolling out advanced handsets.

More than 60 percent named security concerns as an obstacle to making data available to workers using wireless and remote computer technologies; security handily beat "cost and complexity," which was named as a trouble spot by 47 percent of the companies queried.

"The enterprise security model is outdated," said Paul Miller, Symantec's director of mobile and wireless solutions. "Security [concerns] is slowing down deployment of smart phones. And even when they're taken into account, it's often done ad hoc. Administrators, however, want a complete view. They want one compliance report, one admin console, and a complete view of their perimeter."

Until mobile security is addressed, companies will avoid mobile computing, the survey concluded. In part, that's because enterprise administrators believe that an attack on a mobile endpoint are more likely than on their fixed-line infrastructure. Virus attacks and hacking attempts are both more likely via a mobile network, they said.

That runs counter to the relative paucity of mobile-based exploits and threats. While Symantec's Miller noted that the number of mobile malware has grown by more than 200 percent in the last six months, the total identified by the company thus far is only 130. Security companies spot more than that number of PC-aimed viruses, worms, and Trojans each month.

Miller denied that Symantec, or any other security company, hypes the danger from mobile threats.

"We make our marketing in line with the actual threat," he said, and said it was important for corporations to get a handle on mobile network security now, rather than later.

"It would be better to learn about mobile security now rather than during an attack crisis," Miller said.

"Smart phones are at the early edge of adoption. But when adoption goes up, so do threats. If these cycles of adoption, neglect, and threat continue, enterprises are headed for a 'perfect storm' kind of security breakdown."

The 100 or so pieces of malware aimed at mobile devices have been mostly low-level threats that spread slowly, although a few have stood out. In late February, for example, security vendors warned of the first cell phone Trojan horse.

Miller predicted that while enterprises would not experience a huge, landmark attack on mobile networks -- it's unlikely there will be an event like 2001's Code Red or Nimda in the mobile space -- he's betting that an every escalating series of attacks will make corporations take notice.

"There won't be a single catastrophic event. I see an increasing level of pain, though, if you don't secure the smart phone.

"When smart phones are left unsecured, they're the weakest link."

Coincidentally, a Symantec rival, Moscow-based Kaspersky Labs, also took note Tuesday of the threat posed to mobile devices and networks.

In the second part to its 2005 report on malware evolution, posted Tuesday, Kaspersky called out mobile threats, but noted that a real risk is still off in the future.

"Step by step, cyber criminals are starting to target mobile devices which run fully functional operating systems (e.g. smart phones, PDAs)," the report read.

"However, a significant increase in the number of malicious programs for mobile devices is still in the future. Once the number of smart phone owners who use e-payment services, and who use their phones to access such services reaches critical mass, this will undoubtedly motivate cyber criminals to start actively targeting smart phone users as a source of potential profit."

Kaspersky's complete report can be found here.