Security Risks in the Mobile Enterprise
Windows Mobile powered devices and software offer potential benefits to the enterprise, including lower operating costs and greater productivity. However, organizations that deploy mobile enterprise solutions need to make security a priority. The following illustration shows possible security threats to a corporate network that supports mobile devices.
- Device loss or theft. Losing a device to mishap or theft can cause lost productivity, data loss, and potential liability under data-protection laws. Thousands of mobile phones and networked handheld devices are lost or stolen every year. As sales of mobile devices increase, the negative effects of device loss and theft are sure to increase accordingly.
- Loss of sensitive data. Some organizations consider mobile devices a security risk only if they have a business application installed. Other organizations consider the loss of calendar and contact information a security risk. Consider the potential consequences if an executive’s e-mail inbox or calendar, full of meetings and briefings, were retrieved by a competitor. Contact information can also cause problems if it falls into the wrong hands, as recent high-profile incidents have demonstrated. Organizations need to protect the data on their employees’ mobile devices.
- Unauthorized network penetration. Because many mobile devices provide a variety of network connectivity options, they could potentially be used to attack protected corporate systems. Attackers who gain access to a mobile device may be able to impersonate a legitimate user and gain access to the corporate network.
- Unauthorized Bluetooth or Wi-Fi access. Many mobile phone users employ hands-free Bluetooth headsets, potentially leaving hackers a hole for BlueSnarfing data on the device or BlueBugging to gain control of the device. Ad hoc wireless network connection can also lead to unauthorized device access.
- Intercepted or corrupted data. With so many business transactions taking place over mobile devices, there is always concern that critical data could be intercepted along the path through the Internet cloud, via tapped phone lines or intercepted microwave transmissions.
- Malicious software. Viruses, Trojan horses, and worms are familiar threats to traditional workstations and laptops. While mobile devices have not yet become a significant target, there is a growing consensus among security experts that mobile devices will be targeted. Even malicious software not designed to deliberately inflict damage may have unintended consequences such as data disclosure or corruption.
- Unsupported or unsigned applications. Older applications that are no longer supported, while they may still work, are dangerous because they may be vulnerable to attack by new viruses. If an unsigned application is installed on a device, it could make changes to a device that would jeopardize its security.
- Unauthorized device connectivity. An employee connecting a personal device to the Exchange Active Sync may bypass security settings and applications required on a corporate device.