CIOs must take steps to safeguard mobile devices from malware.
By Deon Liebenberg, regional director for Sub Sahara Africa at Research In Motion (RIM), the company behind the BlackBerry® solution
Many companies in South Africa are starting to roll out mobile devices to boost the productivity of their mobile workers. However the lure of empowering employees and making them more efficient (for example BlackBerry smartphone users save an average of 60 minutes a day, according to Ipsos Reid) should be balanced with the need to secure the information that can be accessed on them.
Chief Information Officers (CIOs) must pay close attention to the new security risks that mobile devices such as smartphones are prone to, and ensure that they have the right measures in place to protect the enterprise.
One threat that is growing in significance as more users count on smartphones for business applications is mobile malware. Just like PC viruses, malicious code has the potential to run undetected on a smartphone and wreak havoc within a corporate network.
Virus and other malware protection
Viruses, trojans, worms, and spyware - collectively referred to as malicious software or malware for short - can be calibrated to load themselves onto vulnerable smartphones with poor security, and run without user knowledge or action. Once they've burrowed their way into a smartphone, malware programmes can cripple the device by effectively using all its available memory.
A more dangerous malicious programme could transmit itself across the wireless network, bypassing some of the corporate network security systems, and potentially damage or infiltrate other components of the corporate network.
Most enterprises count on real-time anti-virus scanning software to prevent the transmission and proliferation of malware on computers. However smartphones are a different kettle of fish in so far as they are constrained by finite memory, processing power, and battery life. This means that the standard computer network approach of detecting malware using a large, frequently updated, local database or a constant connection to an online database has to be tailored.
A superior approach to protect against malware on smartphones is to proactively prevent loading or running unauthorised code. This can give system administrators the ability to perform the following actions:
Specify exactly which applications - trusted, corporate-approved applications only - are permitted on the device.
Prevent third-party applications from using persistent storage on the device.
Determine which resources, such as email, phone, and device encryption key and certificate store, third-party applications can access on the device.
Restrict the types of connections, such as network connections inside the firewall that a third-party application running on the device can establish.
Block all third-party applications from loading onto and running on the device.
Attachment viewing and malware
Email attachments that users open on smartphones can contain viruses and other malware. Proactive solutions using a malware-detecting attachment service employ renditions rather than supporting native files. In this scenario, the user can still view and manipulate the data, but the file is not opened natively on the device itself.
This measure is designed to prevent malicious applications from accessing data on the device. If a wireless solution includes a remote, protected server to perform attachment-related actions, the attachment-processing server can still be vulnerable to attack from viruses and other malware. However, it is easier for the IT department to manage and update software on this server rather than on a smartphone, which can help prevent these attacks - plus the server is not constrained by processing power or battery life.
Role of a corporate firewall
The corporate firewall is a critical component in protecting an organisation's data and can guard against attack or malicious use. Ensuring that data sent to and from a smartphone is housed within a firewall can safeguard corporate information as encryption technology can be employed for protection in transit, eliminating the opportunity for tampering or corruption. It is also advisable to ensure that the connection over the wireless network is secure to maintain confidentiality, authenticity, and integrity of the data transmitted.
To protect their mobile devices and networks from malware, CIOs should invest in mobile solutions that have security baked into the devices and supporting infrastructure. These security features built into the solution need to be as unobtrusive as possible so that they don't detract from the ease of use of the device or the end-user's efficiency and productivity.
It's critically important to look for solutions that give network administrators the ability to centrally set and manage policies, such as which applications users may install on their smartphones. Mobile devices such smartphones are integral parts of many enterprises' business processes, and should be secured with as much care as PCs and the corporate network.