Security Risk Posed by Mobile Devices

The nature of 3G services implies the access and transmission of data which may be of far sensitive nature than before. For example enabling financial transactions, such as in the case of mobile banking, micro-payments or m-ticketing imposes the use of personal and financial information. Misuse of such services could be of a great financial loss to the owner of the mobile device. If appropriate security is not provided, an impostor could so much use a mobile handset to download or purchase items, charging at the same time the subscriber’s account but furthermore endangers the subscriber in general as the use of personal information utilised to access these services could be used for several malicious purposes.

An increasing amount of evidence is available to suggest that mobile devices are being used to store sensitive information, while at the same time being significantly susceptible to compromise. The concern of personal and private information stored in mobile devices is not to be overlooked. A Motorola survey reveals that 34% of users store sensitive data such as their bank account information or work email passwords on their phones, while a quarter of them would prefer to share a toothbrush than share their phone (Forbes, 2012). Jupiter networks’ survey reports that 76% of global respondents report they use mobile devices to access sensitive data, such as online banking or personal medical information whereas 89% use their personal device to access critical work information (Jupiter Networks, 2012).

Furthermore, as the use of mobile devices in business increases so does corporate information leakage and financial loss (DarkReading.com, 2012). A Checkpoint survey across IT professionals shows that 47% report customer data is stored on

18

mobile devices and with 71% declaring that the introduction of mobile devices has increased security incidents (CheckPoint, 2012). Symantec reports that UK companies had the greatest increase in the cost of data breach if the incident involved a lost or stolen device (Symantec, 2013). Figure 2.4 shows an example of the type of information that is stored in mobile devices. Although companies are likely to update their policies after a loss of device incident (DarkReading.com, 2012) - even with enforcing stronger security policies within business that does not necessarily enforces the protection of information when the human factor comes in play. 55% of users admit to forwarding work email or documents to their personal email accounts on their phone (Forbes, 2012). With up to 80% of corporate IP stored in the email archive it can be foreseen that the danger of misuse significantly increases compared to access from PC inside a company’s network (Mimecast, 2012).

Figure 2.4: Corporate Information Stored on Mobile Devices (Adapted from Checkpoint, 2012) 28%

At the same time incidents that involve mobile devices and the disclosure of personal and corporate information are frequently seen within the news (Clark, 2011;

Raywood, 2010; BBC, 2009). A McAfee survey of 1,500 respondents across 14 countries showed that 40% of the organizations say some of their mobile devices have been lost or stolen, half of which contained business-critical information (DarkReading.com, 2011). Data from Transport of London report that more than 15000 mobile phones and 528 laptops were hand-it in as lost in 2013 (Worth, 2013).

The issue of theft has been the driving factor behind the Government setting up a National Mobile Phone Crime Unit to specifically target the problem and calling for operators to provide more safeguards on the devices (NMPCU, 2012; Cellan-Jones, 2010). The potential misuse of a device is not necessarily restricted to malicious indent but also to human curiosity. A Symantec- sponsored experiment that purposely abandoned 50 specially set-up smartphones in different public places showed that in 89% of the cases the finders tried to access what appeared to be personal data on the devices (Leyden, 2012).

The concept of Bring your own device (BYOD), poses further risk to business and information. Gartner group predicts that by 2017 half of the companies would require employees to supply their own device for work purposes (Gartner, 2013). With access to corporate information and storage of them on a mobile device that a user may carry around all the time and treating them as their personal device rather than a business tool (which may have been of more restricted use), the risk significantly increases. A survey of 1075 UK employees by TNS Omnibus for Sophos shows that 30% believe their companies lack appropriate security policies and 50% are

20

concerned that personal information would be at risk in the event of device loss (ComputerWeekly.com, 2011).

Based on the extent of the information and services available on these devices the security threats have now growing on mobile platforms making mobile devices a top concern. It could be said that given the scale of penetration of mobile devices the target of misuse will be shifted to the mobile environment (Juniper Networks, 2013).

Exploitation of a mobile device can now mean compromise of both business and personal data making them an attractive target for crime. Given that mobile platforms have not been designed in principle with comprehensive security it further makes it an ‘interesting’ target for attackers and malware with mobile exploits having significantly increased over the last few years (IBM, 2011). As stated in IBM report the most frequently seen mobile device security threats are (IBM, 2011):

 Loss and theft

 Malware

 Spam

 Phishing

 Bluetooth and Wi-Fi

Such evidence collectively demonstrates that devices are now being used to store sensitive information, and that large numbers of them are vulnerable to both accidental and deliberate threats. With the ability to access and store a wide variety of more sensitive information (such as extensive contact lists, diaries, email, corporate information mobile banking and location based services), the need to ensure this information is not misused or abused is imperative. Whereas the theft or

21

loss of a device might previously have been the principal risk associated with mobile devices, unauthorised access to a device that utilises these information services will potentially result in the disclosure of a greater amount of personal information, endangering a wider variety of aspects in the user’s life (which could range from personal identity theft to serious corporate loss and increasingly liability). With this in mind, it is relevant to consider the degree to which related security measures are already provided and utilised.