Many people worry about mobile device security. According to a study initiated by Symantec, many companies (around 60%) are shying away from deploying mobile devices because of the security concerns involved. Management worries about the security of mobile devices and system administrators don't have the feeling they have a grip on the security of a mobile device. Although in the short term this might counter the risk, in the long run the result is that many system administrators simply deny the existence of mobile devices, basically enlarging the security problem instead of managing it explicitly.

Windows Mobile devices are entering the business, even if the company itself does not support this. Although some enter the business through the frontdoor, like the recent Census Bureau order, a staggering 83% enter through the backdoor. Employees simply buy the device privately, or get the device for free with a telephone subscription, and use it in their business context as well. Main objective of these users is the possibility of using their calendar and organizer (about 79%), so it is very likely that these users will connect their devices to the company infrastructure in order to synchronize this data.

This would not pose much of a risk if companies would manage the mobile devices that enter their company explicitly. Unfortunately, reality shows otherwise. Research by TNS NFO has discovered that, although almost every company knows of the existence of every device within the enterprise, 84% of the companies have not set any usage guidelines for the use of PDA's within the enterprise. This guidelines are not written, despite the fact that many security applications are available and that there are great examples of security policies for mobile devices freely available on the internet. With the introduction of Windows Mobile 5 and Exchange 2003 SP2 it even can be managed centrally.

One would hope that it would be possible to depend on the individual responsibility of the employee for securing the device. Mobile devices have the possibility to set passwords or other means of protection against unauthorized use. However, this trust in the responsibility of employees is proven to be misplaced: 75% of all mobile devices do not even have password protection. Although newer versions of Windows Mobile ask for a password during the initial setup, the personal impression I have from the devices in the field, is that the situation is not improving. To make it worse, employees see the device purely as their own private property (since they bought it) and refuse to accommodate security requirements of their employers, making the device less easy to use.

It is freighting that both the company and the individual employees do not worry about the security on a device. From a business perspective, there could be two reasons that explain the lack of focus for device security. Either:

1. Theft or loss of a device simply does not happen. Employees perceive themselves as being good caretakers of their PDA's and don't lose them.
2. The data on the device has no value to competitors or other hostile third parties.

Although employees might percieve themselves as being good caretakers of their device, reality shows that their mobile devices do have a rather big chance of coming into harms way. The numbers of devices getting lost or stolen are enormous. According to Gartner, in 2001 there were 35.000 PDA's lost or stolen in the U.S. This went for the worst in recent years: in the last six months of 2004, there were 5.838 PDA's left in London cabs alone! These numbers make you wonder if the owners attribute any value to their device. In total, a staggering 25% of people has lost a phone or PDA. This indicates that the chance of losing or theft of a device are extremely high and should not be neglected.

But is there a risk associated with data loss? Of the employees, only 18% thinks they would get into trouble for losing a device. According to top managers there is indeed a problem. According to research funded by Pointsec about 60% of the top managers indicate that their company is hurt when PDA's get lost. Not because of the loss of the physical device or the loss of access to the data contained on it, but because of the potential leak of these data to competitors. With the steady increase of memory capacity, loss of a device could lead to serious leaks of large quantities of confidential data. According to Gartner, losing a device can lead to serious problems for an enterprise. Real-life examples of sensitive data leaking to competitors can easily be found and are certainly not uncommon, like many published cases illustrate.

This does make one wonder what kind of data is on such a mobile device that it could hurt your business. According to a survey, the top 10 uses for a PDA in 2003 were:

1. Business diary (85%)
2. Business names and addresses (80%)
3. Personal names and addresses (79%)
4. Personal diary (75%)
5. Entertainment: games and music (48%)
6. Documents/spreadsheets (35%)
7. Store passwords/PIN numbers (33%)
8. Receive and view emails (32%)
9. Store bank account details (25%)
10. Store corporate information (25%)

Losing this kind of data could indeed harm business. Especially passwords but also business contacts, the appointments with these contacts, the notes made in the business diary during meetings, received documents, spreadsheets with pricing information could indeed reveal a lot of strategic company information.

However, this kind of data also can be found in your average Filofax or any other business calendar. This indeed is a common perception of many users: their agenda just became digital. Although the storage capacity of a Filofax is limited to the weight of paper the owner was able to carry, there was indeed a general tendency among the owners to store sensitive information in them as well, like appointments, contacts, pricing tables and passwords as well. In the old days, losing a Filofax was always seen as an acceptable risk. So from that point of view, there is not a big change in the risks associated with sensitive data: sensitive data is now only lost in a digital way. Although still very inconvenient, losing a digital device in that sense does not introduce a new risk. The volume of data might be bigger, but it is also a risk we now are capable of managing a lot better, reducing it to an acceptable level, previously not thought to be practically attainable. However, as indicated above, users do not perceive much risk in losing the data; they still see it as their personal calendar being lost, and not as a potential company asset becoming a liability.

There is a huge difference between losing a Filofax and a mobile device. A difference that implicates that the lose of mobile devices has a lot more impact than just losing a Filofax: a Filofax just contains information, mobile devices are also intended to connect to the company network and are trusted on these networks and systems. Since it is a great hassle to enter passwords on a mobile device, many passwords are remembered for the user and entered automatically when needed. The result is that mobile devices contain credentials of its owner that automatically authorize the device to the rest of the world. These are company networks with tremendous ammounts of confidential data. Although the credentials themselves can not be retrieved from the device easily, the device will still assume that the one who operates the device is authorized, providing a means of access to enter the domains where the rightfull owner is trusted.

This impact of losing a device can have far reaching consequences. Some examples of the credentials stored on mobile devices and their consequences:

• The most obvious option is entering servers through the regular applications on the device, for example mailservers, global address books but also order registration systems etc. Since the device authenticates correctly, the device will be granted access to the server-side systems as well.
• Wireless LAN connections through RADIUS are checked against on a personal username and password. However, if one follows our manual for connecting to a business network the device will always automatically authenticate to the network. Configuring the mobile device as a modem will allow the attacker to browse the company network with his/her laptop.
• For many applications, a VPN (Virtual Private Networking) connection is used. By gaining access to the device, this connection can be used easily, gaining access to the entire company remotely.

The last examples show that losing a mobile device, even if it is a personal device, poses a direct threat to the security (and especially the confidentiality) of the data contained in your entire company network. One would hope that employees mention loses of personal devices to their own IT department promptly, so that credentials can be revoked. Practice learns that generally is not the case. This is a risk that should be managed from a company perspective, since the chance of a device being lost is significant.

You can hardly stop mobile devices entering your company. Our impression is that it is a very costly mistake to ignore the security concerns of devices coming into a company through the backdoor, even if ownership of the device resides with the employee. Requiring a simple PIN to access the device reduces the risk associated with mobile devices tremendously, a measure that can be centrally enforced easily. Ignoring these private devices makes them unmanaged, uncontrolled and above all a security hazard for the organization: they become a blind spot within security management. As we have shown individual users rarely take their responsibility of securing their devices properly, not only putting the locally stored data at risk but also making the mobile device a potential backdoor to your entire company network. It is critical for organizations to manage the mobile devices that enter through the backdoor in order to prevent them becoming a permanent backdoor to your entire infrastructure.