Friday, February 16, 2007

Enterprises are uncertain about mobile security

Nancy Gohring 17 minutes ago, 02/16/2007

San Francisco (IDGNS) - Uncertainty about how to secure mobile phones in the face of increasing threats is slowing enterprise adoption of mobile applications, experts exhibiting at the 3GSM World Congress in Barcelona this week said.

Over two-thirds of mobile operators in Europe that took part in a survey said that they detected more than 100 incidents involving mobile viruses or mobile spyware in 2006, according to a study by conducted by Informa for security software developer McAfee. The number of European operators reporting more than 1,000 such incidents more than doubled in 2006 compared to the previous year, the report said.

IT administrators, uncertain how to protect their users from such attacks, are unwilling to enable mobile access to applications for workers.

"Enterprise security professionals haven't really worked this out yet," said Lorcan Burke, CEO of AdaptiveMobile. Companies such as banks, with strict security requirements, simply block access to any service, including Internet access, that could open doors to security issues, he said.

At the recent RSA Conference in San Francisco, some of the most crowded events were those tackling mobile security issues, said Simeon Coney, vice president of marketing for AdaptiveMobile. That was an indication that IT administrators are trying to find out how serious mobile security problems are and how to address them, he said.

Mobile services can be secured in the application, the network or in hardware or software on the device. Among operators responding to the McAfee study, most found that virus protection was most important at application and device levels, although more of them had deployed network-level security systems than the other options. Over 200 respondents from the operator community took part in the study.

AdaptiveMobile makes network-level security products for operators, including a system for filtering viruses in e-mail, SMS (Short Message Service), MMS (Multimedia Messaging Service) and WAP (Wireless Application Protocol) traffic. Beyond viruses, AdaptiveMobile can also control content, so it can stop phishing and other fraudulent attacks, or limit the types of content end users can access.

If an operator has deployed AdaptiveMobile's platform, an IT administrator in a company can set and manage such controls down to the level of individual users.

For the mass market, AdaptiveMobile's product allows operators to notify a user by text message if their phone becomes infected with a virus and offer a download, either for free or for a fee, to disinfect the device. Without such software, operators will replace a user's device or ask them to send it off for disinfection, both costly propositions.

A network-based security mechanism offers some advantages over anti-virus software that sits on the handset, Burke said. Handset software doesn't prevent phishing and other nonviral scams. In addition, anti-virus software isn't compatible with all phones, making it logistically difficult for the software developers to tweak their products for each version of every phone and make sure to sell the proper software to end users.

He calls anti-virus software on the handset "the minimum acceptable response. It's a tick in the box to make people feel comfortable."

Some developers also sell security mechanisms that sit in the phone's hardware. Such solutions are ideal for organizations with very strict security requirements, such as government users, Burke said. One downside to the hardware-based solutions is that they take about two years to make it into a handset, he noted.