Line of fire

Chances are that you have a smartphone or a PDA. You might even have both. Chances are also that you do not have any kind of antivirus or antispam protection installed in the devices and honestly, you did not know that you needed it in the first place.

Mobility is a fact of life when you live and work in the Middle East. With populations characterised by a high level of interest in technology and the desire to possess the latest of gadgets, many countries in the region boast more than 100% penetration rate for mobile devices. This covers regular mobile handsets, smartphones and PDAs.

 

However, smartphones still lack a formal structure of usage among enterprises. Middle East companies have yet to lay down the rules on which mobile devices can be bought and how they can be used for accessing and working with the firm's data.

Many in the IT industry believe that the lack of enterprise-level monitoring, management and standards for smartphone use in the region is a direct consequence of the fact that enterprises have not started moving applications to the remote client level yet.

"Everybody will acknowledge that data is critical and important, yet not everybody is taking the necessary measures to secure that data, especially on mobile devices," says Kenan Abou Lteif, territory manager for Saudi Arabia at McAfee.

"You could say that security on mobile devices is really a component of or co-related to the amount and type of applications that have been mobilised. If the business does not do push email or has any kind of CRM or ERP application accessible from the mobile device, then the IT manager would most likely not be concerned about security on these device," says Joe Devassey, head of Nokia's enterprise solutions in the Middle and Near East.

He adds that enterprises in the region, especially in the UAE, Saudi Arabia and Kuwait are beginning to mobilise email applications and though this is still in the nascent stage, it won't be long before an increasing number of enterprises mobilise their applications.

Another important factor for the laidback attitude towards mobile security among enterprise IT staff stems from ignorance of the threats that could potentially affect a phone and the data within.

Any action from enterprises to secure mobile devices used by employees has to be preceded by knowledge on the threat landscape.

The threat landscape

There are some who believe that in the Middle East, there are more chances of you losing your phone than having a bit of malware sitting on it.

"There is a larger likelihood of any particular executive in the region losing his phone in a crowded restaurant than of him having a piece of malware visiting it. Most often the people who steal the device do so for the tangible value and there are not too many who are after the data resident on these devices. But there is still a possibility of this stolen information being used for malicious intent by the people involved. This very often could be internal employees," says McAfee's Lteif.

Lteif is a rather lost voice in an industry which is clamouring about all the dangers that are waiting for a possible entrance into an unguarded smartphone.

"Worms, viruses and malware that attack mobile devices do exist. In fact, there have been more and more incidents of spread in the region, especially in Saudi Arabia. But it has not been highlighted simply because it is not on a large scale yet," says Patrice Perche, regional VP of Fortinet.

Most of the malware is transmitted via the improper use of Bluetooth.

Deavssey says: "People in the region still consider mobile devices as personal ones and they tend to use Bluetooth and download a lot of unauthorised applications. Then there are threats from malicious intent just like PCs. Between the two, the immediate threat is of unintentional download of viruses but with the corporates mobilising more applications, the hackers will look this way before very long."

Anand Choudha, security product manager for FVC says: "Everybody carries around a certain set of malware or spyware, in forms of legitimate cookies from websites you visit from the smartphone. People can live with these completely unawares. But something dangerous can come along and affect their data."

According to a recent paper from Gartner, there is no question that malware targeting wireless devices exist. But, despite the intense vendor- and media-driven speculation - and several well-publicised hoaxes - the necessary conditions required for viruses or worms to pose a real rapidly spreading threat to more than 30% of enterprise mobile devices will not converge until year-end 2007.

"We estimate that there has to be around 15 million units of any particular operating system around for it to attract malicious attackers. The Symbian platform has over 100 million units. But we do not expect threats to reach a certain level before the end of the year and beginning of 2008," says Leif-Olof Wallin, research VP at Gartner.

Locking down

Threats will soon be knocking on the smartphone doors of Middle East executives as penetration levels increase, applications get mobilised and technologies such as 3G catch on. The first level of securing these devices would involve loading a smartphone or PDA specific antivirus or an antispam solution.

This would need to be coupled with network level security measures such as firewalls, user recognition and access technologies. Lteif also talks about McAfee technology that can prevent data loss leakage in mobile devices and states that this would be the next wave of security following on antivirus.

According to a recent Gartner report, smartphone or PDA antivirus approaches that rely on device software will always fail to block the most damaging viruses. The report advices businesses to look to their mobile carriers to offer "in the cloud" filtering services.

Perche agrees saying: "Security for mobile devices has to come from operators who should be able to assure a clean pipe of solutions for enterprises. That is the kind of approach for carriers and enterprises that would make more sense."

While the mobile operator path could ensure higher security, it is essential to tie mobile devices and behaviour patterns into overall enterprise security policy to make a protective matrix.

Devassey points out: "Standardisation is essential in enterprises. As more applications start moving to mobile devices, enterprises will have to standardise on the kind of devices that employees can use to access the applications with. This should be backed by a policy of buying the devices and providing it to the executives. When so done, these devices can come ready packed with all the security that is needed."