Frank Kenney knows well the potential harm lax smartphone security can pose to credit unions and any other enterprise that allows employees to access their networks with those phones.
The vice president of global strategy at Ipswitch Inc. had left his iPhone in a security bin at Boston Logan International Airport, a discovery he made when the onboard instruction came to turn off all electronic devices.
"I couldn't very well get off the plane to retrieve the phone, so when we got to 10,000 feet I used the iPhone find application on another device and remotely wiped that phone," said Kenney, a former lead analyst for file transfer technology at Gartner.
"I knew I could get the phone when I got back home to Boston. That wasn't my concern. It's what was on that phone, very sensitive merger and acquisition information, pricing details, information far more valuable than the phone itself," Kenney said.
Kenney was prepared but he said he wonders how many others would have been. Indeed, a recent international survey by London-based Ovum showed that smartphone use among corporate employees is growing fast, both through company-supplied devices and employees using their own to access corporate networks.
The survey found that 48% of employees at firms it contacted are allowed to use their own mobile devices that way, and that 70% of employees who have company-owned computing devices are allowed to use them for personal purposes.
Not just high-level executives have potentially damaging data on their smartphones. "You may have a credit card number because you're a sales person. You may have test results if you're a medical professional. It's going to be different in different industries," Kenney said. "Whoever it is, they need to understand they have the responsibility for the security of their data and will be held accountable for what happens to it."
"Companies need to recognize that more and more of their employees do have these devices and that they need to supply them with enterprise tools that allow them to remotely wipe and lock phones, and they need to enforce policies that require you to not even be able to get e-mail on those phones unless the security features have been implemented," Kenney said.
More ways of doing that are emerging, said Jeff Nigriny, president of CertiPath, a Herndon, Va., provider of credential certifications that allow organizations, including private companies and government agencies, to securely exchange data.
He suggested developers look at one of the most secure if one of the most simple, in computing terms. "Consider the smart card," Nigriny said. "It has one of the slowest processors around but it's one of the most functional security devices we have in the market today."
Similar security could be built into far-more powerful smartphones, and they also can be used to read fingerprints and even the iris of the owner's eye, Nigriny said, adding that the Department of Defense is now leading the way in that regard in its work to secure smartphones in the Pentagon. Nigriny sees the technology already being used to secure everything from entering buildings to securing mobile payments.
Cost will be a factor, though. "It's been a big Achilles heel for us. There's a very high one-time cost relative to any one transaction, but if I can start aggregating partners' networks and buildings, or mobile banking transactions, now this is very attractive because my cost per transaction has gone to pennies," he said.
While iPads and other tablets also will be a factor, "I think this is all going to converge on the smartphone and it'll happen in the next five years," Nigriny said.
Tracking what employees are doing with phones is another consideration. TriGeo Network Security Inc. of Post Falls, Idaho, a network security provider to credit unions and other businesses, specializes in doing that on networks but finds extending to smartphones a challenge.
"We have a relatively small agent for tracking what someone does once they get into a network but it just isn't present today at the phone level," said Michael Maloof, TriGeo's chief technology officer.
"I believe the industry is moving in that direction, and we'll see a third-party application built right into the phone that can limit what apps can be installed as well as encrypt data or limit access to it," Maloof said.
"BlackBerry's leading the charge on that right now, and I think it will be a product differentiator going forward," he said. "We really do need a way to control how sensitive information is stored and encrypted and accessed."
Whoever goes first, others will follow, because people simply are going to use their mobile devices for work and personal reasons, according to the people behind the Ovum report.
"Employees will want to use their devices, no matter who owns them, for both their work and personal lives," said Graham Titterington, principal analyst at Ovum in London. "Organizations must establish a holistic security strategy that addresses the consumerization of this fast-growing channel into corporate networks and data."
Maloof at TriGeo added, "Everyone has this on the tip of their tongues right now. There's a fear factor about it. That's because the reality is that there are thousands of phones lost every month, probably in New York City cabs alone."
