Mobile security demands comprehensive approach, IDC conference told

But this will not be easy as there is a "hideous amount of hype" in the mobile security market and many users of mobile devices still believe they are inherently secure, he told the IDC IT Security Conference 2011 in London.

"Businesses need to urgently secure mobile devices as employees increasingly mix work and play, but perhaps the biggest problem is awareness among users," he said.

All security and training should touch on the mobile issue, as most users who have a good awareness of risky behavior on the desktop do not apply the same principles when it comes to mobile devices, said Lyne.

Users need to be made aware, for example, that mobile devices typically broadcast information in the background all the time looking for wireless networks they have connected to before.

"Cyber criminals have tools to sniff this information, which can be used to trick mobile devices into connecting to networks controlled by them. Once connected, criminals have a way in," he said.

The technological challenges are also significant, said Lyne. "The next couple of years will see a massive evolution of mobile devices and security controls. We are seeing the most significant change since the move from mainframes," he said.

Businesses and users need to recognize that mobile devices such as smartphones are computers too, and need to be treated accordingly when it comes to security and data leakage.

At the most basic level, he said, businesses must ensure that secure passwords are being used on mobile devices, users know that they need to be as cautious about security warnings as they are on the desktop, that they apply all patches as soon as possible, and that communication channels are secure by forcing secure socket layer encryption.

IDC recommends a comprehensive approach to securing mobile devices, data and applications, said Nicko van Someren, chief technology officer at enterprise mobility firm Good Technology.

Locking down devices, particularly where they are owned by employees, is impractical, he said, as is blacklisting, which is nearly impossible to maintain for the hundreds of thousands of applications in the market.

The most effective and practical approach is a combination of security at the application level, he said, securing the communication channels, securing the data once it reaches the device, implementing policy controls on what can be done with the data, and providing management of the device.

"Simple mobile device management is insufficient; it has to be tied with management of the data itself, so that business data can be separated from personal data," said Van Someren.

This approach gives business the ability to apply a single security policy consistently to any device and have complete control over business data, and even types of business data on mobile devices, he said.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?