As a business user, one of the concerns is how safe your data are: you want to continue working without being hampered by technical difficulties, without risking losing data to the wrong people. A mobile device isn't just your phone, it contains your appointments, contacts e-mail and perhaps a lot of credentials to mailboxes and creditcards as well. Research by Pointsec security has shown that generally, the following things are kept on mobile devices by mobile professionals:

1. Business calendar (85%)
2. Business name/address storage (80%)
3. Personal name/address storage (79%)
4. Personal calendar (75%)
5. Entertainment: games/music etc. (48%)
6. Documents/spreadsheet creation (35%)
7. Password/PIN storage (33%)
8. Receive/view email (32%)
9. Bank account information storage (25%)
10. Corporate information storage (25%)

Loss of this kind of data could lead to less productivity, losing vital data or even direct financial damage. But also theft of data is a concern, not only by stealing the device completely, but by stealing datacards or just the data. Since many devices are connected to the internet as well, virusses could be a concern as well. Some percieved dangers are more relevant than others but all of them can be counteracted easily.

On a company level, on would expect some kind of security policy for mobile devices, in order to make the security level less dependent on the individual initiatives of employees. Unfortunatly, many companies lack a security policy afor mobile devices and employees take the devices to the workplace anyway, introducing a big security risk. Guidelines for writing a security policy for mobile devices can freely be obtained through the Geekzone. We have an article about securing ALL devices in your infrastructure, using Exchange as a leverage.

Data loss and data corruption

Losing data is an accident that happends to a lot of users. One general rule of thumb is that vital data should always have a backup and data collected on mobile devices should be no exception. Windows Mobile devices prepared for this: by definition they are companions of desktops, so many business applications provide the possibility to backup or synchronize the data during an ActiveSync session. Besides the easiers analysis of the data, this has proven to be an extremely dependable measure to protect your data from permanent loss. This does depend on the frequency of synchronization. The habit of synchronizing your device regulary could save large portions of your vital information and therefor is essential in a business situation.

Loss of the device/datacard

Losing a device or datacard happends a lot. According by research by Pointsec security, about 40% of all mobile users will lose a device at some moment, even more will lose a memory-card.

There are specialized applications that allow you to store and synchronize information. They provide a desktop-side companion, allowing you to protect your data by synchronizing them to the desktop. For bigger objects, like complete files, the file-synchronisation of the desktop could provide an answer. It has it's limitations because it limits itself to one single folder, but it is a workable solution.

Virus on the device

In theory a virus on your device could remove all data on it. The currently known virusses are not hostile: they are proof of concept virusses written by antivirus companies to raise awareness to the mobile community that they too can be harmed. At this moment, there are no known harmfull virusses going around on Windows Mobile devices. Cross-platform virusses (i.e. from device to the desktop and vice versa during a synchronisation session) are very rare. However, there is a proof-of-concept virus of this kind of virus, hinting of the possibility. Generally desktops do identify these virusses. So currently there is no need for worries.

There is one trojan-horse going around on the internet, originating from China. It steals all personal information from the device and disables all security measures. It is part of several modified pieces of software, including Google maps, stock trading applications and games. So it is critical for you to verify that installed software does come from a trusted source.
 
Despite the extremely low threat-level, virusscanners are available. Suppliers providing virusscanners are:

• F-Secure Antivirus for PocketPC
• Computer Associates eTrust Antivirus protection for PocketPC
• Airscanners Security Suite
• McAfee Virusscan Wireless
• Norton Antivirus
• Kaperski Antivirus
• Softwin Bitdefender for Windows CE
• Symantec Antivirus for Handhelds

I-Mate is known to distribute devices with viruskillers already installed.

Corruption of datacards

Corruption of a datacard can make you lose all your data on it. Corruption of datacards can have many causes, but in most cases it is attributed to production faults. Tests by device enthousiasts have shown that memory-cards can take an awfull lot of abuse, including the use of magnets, screws, high voltage electricity, boiling water and microwave ovens (link is in Dutch).

However, distortion of the directory structure is a known problem that can not be easily be prevented. Making backups of the information, as mentioned earlier, is vital for painless recovery. But also repairing the fault on the memory card is definitly a possibility. Memory-cards can be mounted (and threrfore repaired with special tools) under normal Windows operating system using a memory-card reader. Known tools to work are:

• File-Rescue Plus
• File Recover 6.0 for Windows
• Smart Recovery
• CGsecurity PhotoRec
• DataRescue PhotoRescue

Theft

Having your data stolen is a clear act of violence/espionage that, luckily, does not happen to a lot of people. One general rule of thumb is that if information could harm you or your business, protect it. A freightning 75% of companies do not demand data protection measures from their employees when using mobile technology. The impact can be quite severe: Windows Mobile devices can contain network credentials to secured networks/servers and do not ask the user to authenticate himself if he is using the device. Protecting this type of information is vital in order to prevent attackers harvesting credentials from these devices.

Simple measures can help you protect your data from those people and make you sleep a lot better at night after your phone or PDA has been stolen. Although it is not a great experience and causes a lot of trouble anyway, it becomes one thing less to worry about.

Protecting the device and phone against theft

Psychologically, this is the most confronting situation to have your device stolen. It is a clear threat for the availability of your data. It does not happen very often. Although the impact of theft could be different from what you think, it is good practice to have important data in a protected segment of your device.

First of all, you can activate the power-on password. This can be done by using the "Password" option in the settings menu. This password blocks the access to the device and all its (network) credentials. This way the thief can not use the device without having to erase all the settings in memory (effectively removing your data as well). This will prevent access to any credentials and phone options in your device. To prevent the phone to be used, a SIM password is recommended as well, which can be set in the phone-options (under the tab "phone", there is the option "require PIN when phone is used")

There are some moments when the device PIN might be inconvenient, for example when navigating. There is a modification that allows you to disable the password when the device is used on an external powersource.

Protecting the data against theft

For protecting specific sensitive data on a device, you could need a bit more. For small objects like passwords and social security numbers, encrypted data organizers help you by not only storing you data securely, but also by organizing your data for easy retrieval. For bigger objects, like files and folders, there are file encryption applications.

Protecting data communication

As a mobile user, you are not always in a trusted environment. Since the introduction of "Evil Twins" of hotspots, you can not even trust your own hotspots anymore to be safe: people can use an open access point to eavesdrop into your conversation with the internet. Using secure connections over this open infrastructure is vital. Either resort to SSL-connections, or using a VPN connection to a trusted network to prevent people from listening in on your communication.

There are solutions known (for example SecureGSM) that even protects GSM communication from eavesdropping.

External Resources

• Making a mobile device security policy