Importance of Smartphone Security in Business Environment

1.0 Introduction

The purpose of this document is to expose a business problem from a technological viewpoint. The subject of the business problem I have selected is smartphone security. This subject will be analysed and critically evaluated, then expanded upon further to reflect the range of possible solutions and raise awareness of the risk and need of smartphone security.

1.1 Aims and objectives

Aims

• Create an authoritative document with recommendations to raise awareness and inform businesses for the need of greater mobile security within the business environment.
• Use insight to establish a research gap.

Main objectives

• Assess smart mobile devices currently used.
• Analyse security advantages and disadvantages of smart mobile devices.
• Establish what risks smart mobile devices are exposed to.
• Evaluate impact of risk exposed by unsecure mobile devices to businesses.
• Examine mobile security currently available.
• Investigate responsibility
• Evaluate current business policies and procedures for mobile devices and how these can be enforced.
• Construct smartphone security guide with recommendations for businesses.

1.2 Problem statement

The problem is information and financial loss due to information theft or inaccessibility from malicious software, and the detrimental impact this has upon the business.

A recent report from Gartner (reference report) indicates that sales of smartphones have grown exponentially and businesses are reaping the benefits gained from smartphones, however their use also creates security risks and opportunities for cybercriminals.

There are many types of information that can be stored on smartphones for example, personally identifiable information in the form of identity credentials, email, SMS and MMS messages, GPS coordinates, passwords, company documents and connectivity access information to company servers as just some of the examples.

Information security has gained significant value within the business domain over the past decade however this value remains subjective (why subjective? And value pertaining to what?). Users have been made aware of the risks posed by malicious software whilst using their personal computer on the internet, now assistive technology like smart mobile devices are becoming increasingly more powerful, functional and ubiquitous.

Where personal computers have at least some security software in place as standard, smartphones commonly have no security software installed as a standard and are susceptible to (Malware, Viruses, trojans,etc-examples please ;)) the exact same threats as to personal computers.

Businesses, professionals and personal users now have a greater awareness for the need of personal computer security. This has been provided by media coverage, enterprise training or through personal experience. When using a personal computer or laptop for example, it is common to find a firewall and antivirus software installed showing that internet safety has now become a social normalcy.

“…Smartphones are more powerful than supercomputers were a few years ago, and we are putting them in the hands of people who’ve never had anything like it before.” – Google CEO Eric Schmidt

As Schmidt states smartphones are pervasive devices, workers typically need training on these devices as they are multifunctional and unless people are aware of the threats these devices pose the consequences can be detrimental on the business.

Today’s organisations rely heavily upon information technology in order to allow their business to function (Khosrowpour, 2001). This is fundamentally due to how intricate information technology systems are embedded into organisations.

Smartphones provide businesses with many new opportunities (sweeping statement-what opportunities and is this your opinion/referencing?) however these opportunities provided by smartphones exist not just for business and personal users as the opportunity extends to cybercriminals too.

Malware is one of the most common sources of security failures within businesses currently (sweeping statement-most common according to who?), they have the same capabilities as personal computers and are used within business environments in the same manner, however they are typically unsecure and rely solely upon the standard out-of-the-box security features with no antivirus or firewall present.

There are many different mobile operating systems for smart mobile devices requiring different security applications. The operating systems and the risks associated will be carefully analysed.

The intentions of this paper are to investigate what impacts smart mobile devices can have on businesses, why these problems affect the organisation, and how they are overcome.

Finally, insight will be gathered and recommendations made so that businesses can use to foresee and prevent future unnecessary costs and risk.

2.0 Literature review

The focus of the subject proposed for this project is a very real-world business and information technology problem. Smartphone security is a recognisable potential problem for both individuals and businesses as most smartphone users including businesses and educational establishments do not have any specific policies in place to safeguard from smartphone security related issues.

Because smartphone security is still in its infancy, it will be a challenge to source accurate and relevant information from authoritative sources such as ‘Emerald’ without resorting to web based research. However, the more this project advances smartphone security in the media is becoming omnipresent.

For the project a survey will be proposed in order to gain knowledge for understanding how aware users are for the need of smartphone security. This survey will target as many participants as possible in order to gather appropriate primary evidence. Interviews will be conducted with professionals in the field of smartphones and security such as police personnel, security advisors and mobile phone shop staff to ascertain levels of security training, public security literature and knowledge.

Authoritative information sources will be used to gain technical information directly from manufactures, websites and retail outlets such as Apple, Android, Research In Motion, Nokia and Microsoft for documentation on smartphones and smartphone platforms. Only technical information will be used from these sources as it is in manufacturer’s interests to sell their products

Analysis of the survey will be done using statistical analysis tools including IBM’s ‘SPSS’, ‘SPSS Text Analysis’ software and more modern statistical analysis web-based techniques such as MarketSight. MarketSight is a hosted research data reporting environment accessible by the internet and only available through the internet browser Microsoft explorer whereas SPSS is software directly installed onto a computer.

‘Malware: the new legal risk’ the paper written by Verine Etsebeth in 2007 has invaluable source material for this project. Acquired from Emerald Insight, it is very suitable to this project as it highlights the threat of malware and risks posed to businesses. It is well written and authoritative however Emerald specified it was unique as no such document has been published previously.

The majority of sources used by Etsebeth are from Harley, D; Slade, R and Gattiker, U. Etsebeth references Viruses Revealed (McGraw-Hill, New York, NY 2001) This source is recognised and trusted within the industry as a whole and is considered to be authoritative and well-documented on its own merit. This paper focuses on the legal and professional implications of malware on companies in South Africa Etsebeth’s home town.

This paper is very suitable for this project as it is a very well written and authoritative document, the majority of sources used by Etsebeth are from Harley, D., Slade, R. and Gattiker, U. (2001) Viruses Revealed, McGraw-Hill, New York, NY. The source used by Etsebeth ‘Viruses Revealed’ as a well-documented authoritative document published by McGraw-Hill, a recognized trusted source. Etsebeth is a senior lecturer in the Faculty of law specialising in the areas of law and information security.

Although Etsebeth’s paper ‘Malware: the new legal risk’ is highly suitable in terms of qualitative information, it lacks suitable geographic law for the scope of my project. I will use the information provided by Etsebeth for Malware, as this information is not geographically bound, and analyse the legal implications after comparing them to UK law.

Etsebth highlights that companies are reluctant to report cybercrimes as it has negative implications on the company’s reputation this correlates to my hypothesis.

‘Understanding the spreading patterns of mobile phone viruses’ by Pu Wang, Marta Gonzalez, Cesar Hidalgo and Albert-laszlo Barabasi is a technical journal based on mobile phone virus modelling and the understanding of spreading patterns.

The journal was published in 2009 and investigates various mobile platforms relating to my assignment however the document is a highly technical report based on the mathematics of virus spreading patterns, I find this report to be highly enlightening however due to the technical awareness of the target reader of my assignment I believe this report to be too technical and out of scope.

Authoritative information directly from manufactures websites and retail outlets will be used including Apple, Android, Research In Motion, Nokia and Microsoft for documentation on smartphones and smartphone platforms as this will allow me to access accurate and current reliable information directly.

Secondary information sources will be avoided where possible such as blogs and review websites for direct smartphone technical information as these types of resources may facilitate in providing inaccurate facts.

Local mobile phone retail outlets such as Orange, Vodaphone, Phones4u, The Carphone Warehouse, O2 and T-Mobile will provide me with valuable information on device security awareness. I will enquire on staff security training and in-house company security literature currently available to public and business consumers as this will affect the average smartphone users security awareness.

After investigation smartphone security I established that some research in this area had been done already by Goode Intelligence a UK company based in London.

‘Goode Intelligence’ is a company that provide strategic research and analysis that specialises in information security. Founded in 2007, Goode Intelligence has provided clients globally with statistical information from evidence accumulated from surveys in the field of information security. Goode Intelligence is viewed as an authoritative market leader of information security consumer information.

2.3 How this project fits in with the literature review

I had chosen the subject then chosen the literature review method, thus tailoring the literature review to fit the requirements of the project.

The Survey will allow me access information on how smartphone users actually use their device, how important they view the information stored on the device and users perception of the need for security

3.0 Research methods

3.1 Hypothesis

‘Businesses are not aware that they are at risk of information and financial loss or theft due to malware infections on smartphone devices.’

Information Technology consultants have recognised the gap in security for mobile devices, however it was soon realised that the physical security of the device was not the real issue, as the need for smartphone security awareness within businesses was a far greater concern. Experience establishes that the best form of security is the awareness for the need of security and why by the individuals who use the technology.

Smartphone malware is not seen as of great importance to IT professionals, business managers or general consumers. A majority of smartphone users use their devices for both business and personal use and a large share of smartphone users will be using their personal smartphone for work related activities.

The assumption is based that most individuals would know what information they deemed as confidential, more specifically, what information would they not like others to access to include such things as calendar, contacts, photos, emails and files.

IT professionals should be the most aware group of smartphone malware risk, as their experience and technological awareness should allow them to be more technologically security aware.

Antivirus used on personal computers is well known to hinder system performance and conflict with some applications and other software, The hypothesis is that antivirus products will consume more system resources then current smartphones can afford to offer and require more power from the device ultimately reducing the battery life and impacting negatively on overall system performance, rendering the device unusable by the average user.

The perception of products such as the iPhone are viewed as secure out-of-the-box along with Blackberry smartphones as they are mostly touted by mobile phone shop staff as business orientated secure devices.

3.2 Methodology

The project will be implemented using a triangulated, positivistic methodological approach. The particular technique chosen this will provide a balanced view of the subject area. It will incorporate both quantitative and qualitative primary research methods as reffered to by Bryman as multi-strategy research (Bryman, 2006). The scope of this project will mostly be Quantitative based research as indicted in Fig 1 below.

Bryman advises that quantitative data can be gathered by way of a survey and qualitative research collected from journals and interviews.

The Initial research will be conducted using primary research in the form of a cross-sectional survey questionnaire with closed questioning, interviews with professionals in the field of smartphone related security such as police personnel, security advisors and mobile phone shop staff will also be conducted to gain knowledge of their awareness of smartphone security and what advice they provide.

The survey will be available to respondents in paper form where needed however the survey respondents targeted will mostly be from the internet so it is required that the survey be electronically hosted. The web-based survey distribution method selected is ‘Survey Monkey’.

The main motivations for selecting ‘Survey Monkey’ are reputation, administration features, ease of access and user layout familiarity. The survey will be designed to be concise and simple to maximise the amount of respondents in order to gain quality information.

The target survey population will represent business managers, IT professionals as well as individuals who use their smartphone for personal use to establish users who admit to using their smartphone for both business and personal as opposed to personal use only. This is suggested by Baxter as an important step in defining who should be included and excluded from participating in the survey (Baxter, L. & Babbie, E, 2004).

The users have been targeted as the project will establish not only the perception of smartphone security but also what smartphone policies and procedures are currently in place and how aware users are of these.

Research indicates that an ideal resource for the proposed target users is through a popular internet based technological social news website named ‘Reddit’. ‘Reddit’ has a daily turnover of over 850.000 unique users (Alexa, 2010). According to Alexa the average ‘Redditor’s’ are male between the age of 18 to 44, are well educated and browses ‘Reddit’ either from work or home, suggesting that the majority of ‘Redditors’ are working professionals in the technology field.This suggest that the average ‘Reddit’ user is technologically aware (Alexa, 2010), suggesting that ‘Reddit’ would suit the proposed target survey participant.

The proposed project will be delivered using an analytical in-depth research structure. This project structure has been selected as it will primarily be research based on the current business problem as previously stated.

The intentions are to analyse the problem, understand how aware people are of the issue and propose possible solutions,

One method of analysis proposed is the conceptual method, as described by Beaney as a way of breaking down or analysing concepts into their constituent parts in order to gain knowledge (Beaney 2003). I have interpreted this to mean the compartmentalisation and analysis of data.

Critical and creative thinking skills such as Edward.De Bono six thinking hats will be used to examine the problem domain. A review will be given on how the systems work and compare them to how they should work. I will then analyse the solution domain by examining which options are available to improve the system security along with optimal recommendation and the benefits this would provide.

‘SPSS’ is a well-established statistical analysis application first released in 1968. Randomised questions, Marketsight. Survey design

4.0 Results

4.1 Presentation and description of results

Who took part?

The survey was conducted to establish the awareness of information security and the need for smartphone security. Users were openly invited from technological backgrounds to partake in the survey and assured of anonymity.

A total of 758 people responded to the online survey from a possible 854,998 potential participants (Fig. 2). The survey itself was open for one month during February and March 2011.

The results indicated in Figure 2 that a majority share of survey participants, with 82 per cent being male and 18 per cent female confirms my survey target gender. When asked, both genders averaged at age 26 (Fig. 3) as denoted in Figure 3, again confirming my target survey demographic groups.

When asked 53 per cent of respondents reported they had used their smartphone solely for personal use, opposed to 45 per cent of partakers that reported they used their smartphone for both business and personal use, with 2 per cent reporting to use a smartphone solely for business use only as shown in Fig. 4 combining a total of 47 per cent.

25 per cent of respondents had only been using smartphones for the past six months, 17 per cent were aware they had been using them for at least a year and a majority percentage of 59 per cent had been using smartphones for more than one year seen in Figure 5.

Only 12 per cent of respondents opted to use the ‘pay as you go’ payment facilities as opposed to the greater majority of 88 per cent that have contracts shown in Figure 6 below.

87 per cent of participants reported that they did not use any form of smartphone security software such as antivirus as opposed to 13 per cent that did as highlighted in Figure 7.

SMARTPHONE

In answer to the question “What type of smartphone do you currently use?” 34 per cent of respondents said they used an Apple IPhone, 58 per cent reported to use Android smartphones, 13 per cent used Blackberries and 6 per cent of respondents had Symbian smartphones (Fig. 8).

87 per cent of respondents had used calendar functions, 94 per cent of respondents used email, 86 per cent of used games, 87 per cent of respondents used GPS features, 74 per cent of respondents used instant messaging, 52 per cent of respondents used internet banking facilities, 66 per cent of respondents used multimedia messaging service (MMS), 94 per cent of respondents used the short messaging service (SMS) feature and 78 per cent (Fig. 9) of respondents admitted to using social networking sites on their smartphone.

93 per cent of survey partakers used 3G for mobile data communication, 59 per cent of respondents used ‘Bluetooth’ technology, only 4 per cent of had used infrared line of sight technology, however 75 per cent of respondents admitted to connecting via universal serial bus (USB) and 94 per cent of participators had used wireless for mobile data communication shown in Figure 10. Total of 757 participators answered this question and 1 partaker chose to skip the question.

From a total of 758 respondents, 63 per cent (476) valued the physical smartphone above the 37 per cent (282) whom valued the information more.

Figure 12 shows 62 per cent of survey participants reported that they did not pay attention to licence agreements and permissions when installing applications on their smartphones 34 per cent reported they did read the licence agreements and permissions. 4 per cent of respondents believed that this question was not applicable to them for their smartphone use.

The awareness for the need of personal computer security is apparent as 81 per cent of responders were aware for the need of security software for personal computers as opposed to the 19 per cent who were not aware. 94 per cent participants have connected their smartphone to a personal computer (PC), 6 per cent stated they had not ever connected to a PC. All 758 respondents answered this question.

Figure (XXX) shows that survey respondents considered smartphone security as ‘beneficial but not essential’ as the majority answer with 64 per cent , 21 per cent (159) didn’t not consider there to be a need currently for smartphone security software as opposed to 15 per cent (114) whom considered smartphone security software as absolutely essential.

95 per cent of respondents were aware of ‘Adware’, 27 per cent had known about ‘Badware’, 25 per cent of respondents were aware of ‘Crimeware’, 69 per cent had previous knowledge of ‘Rootkits’, ‘Trojans’ 95 per cent,, ‘Spyware’ 95 per cent, ‘and ‘Worm’ 90 per cent were the most commonly aware terms of malware from the malicious software list, the majority being ‘Virus’ with 97 per cent of respondents being aware of this type of malware. 731 respondents answered this question.

96 per cent of respondents stated that they owned the smartphone, only 4 per cent of respondents had employer owned smartphones. All partakers responded to this question.

Out of the 758 respondents, 15 per cent were aware of policies within their place of business, with the majority of respondents 41 per cent unaware of any workplace policies or procedures particularly orientated toward smartphones. 44 per cent responded that the question was not applicable to them. All participants answered this question.

It is interesting to find that only 15 per cent stated they were aware of specific workplace policies and procedures specifically for mobile phones and 40 per cent were aware there were no mobile phone policies and procedures. A majority of 92 per cent (699) had not been advised of any security methods to protect them or their information from fraud, theft or malicious software. 8 per cent (59) respondents agreed they had received adequate security advice.

4.2 Discussion and interpretation of survey results

Analysing the results of the survey shows the majority of smartphone users to be Android users peaking in the 20 to 24 age bracket, this would indicate that an IT professionals choice of smartphone is Android as indicated in Figure 3 below.

Smartphone survey contributors within the 20 to 24 age group were then further examined to indicate what purpose is intended when using the devices, examining the results shows clearly that a majority of survey respondents reported they viewed their smartphone use as personal use, however disturbingly over half the users in the same age group admitted to using their smartphone for both personal use and business use as shown in Figure 4.

Female respondents preferred the features provided by iPhones however also as opposed to male smartphone users who clearly preferred the Android platform over all others as seen in Figure (XXX).

Examining users perception for the need of smartphone security against those users whom did or did not have antivirus shows that the awareness for the need of security correlates to users whom did indeed have smartphone security measures in place with nearly half of users who responded ‘Absolutely essential’ to the question ‘How necessary do you see the need for smartphone security software’ as shown in Figure (XXX).

However the overall amount of smartphone users with antivirus or other security is disturbingly low given the malware threats currently available.

The results also show us that a large majority of IT professionals do view smartphone security as beneficial however not essential. Android users are the most security aware demographic as demonstrated in Figure (XXX) above. This indicates that users are not aware of the threats posed by malware and view the need for smartphone system performance greater than the need for security.

Business users have been defined as respondents who confirmed they used their smartphone for business only and users who reported they used their smartphone devices for both business and personal use.

Smartphones have many features of value to employees as shown in Figure (XXX) Below, Email, Calendar, GPS and SMS features were shown to be the most used features all of which are viewed to aid employee productivity. However features such as games and social networking which negatively affect employee productivity were also shown to be frequently used, suggesting that smartphones can have negative effects on employee productivity. Figure (XXX) also shows us that over half of business users reported to use internet banking facilities from their smartphones.

After finding out what smartphone features business users were most interested in I studied how aware business users were of security permissions and licence agreements prompts when installing new applications on their smartphones.

The pie chart below is a representation of business user survey respondent’s awareness of how essential smartphone application installation security prompts are in regards to new application installations.

Figure (XXX) shows us that 60 per cent of all business users admitted that they did not pay attention to licence agreements and permission prompts when installing new applications.

The distinction between smartphones and personal computers is becoming increasingly marginal. Personal computers for example do not have built in billing systems and unless connected to the internet are static devices accessible via a local area network or through direct contact. Smartphones have an integral billing system are completely mobile and have multiple connectivity methods.

When business user survey partakers were asked if they used any security applications such as antivirus, an overwhelming majority responded that they did not use any security products. This confirms part of my hypothesis that business users do not perceive smartphone security as a real threat.

Discovering that the majority of business users used internet banking facilities for either personal banking or business banking and 9 out of 10 business smartphones had no security products installed it was elementary to understand if business users were aware of smartphone malware threats.

The line graph in Figure (XXX) indicates that over 90 per cent of business users are aware of malware threats such as Adware, Spyware, Trojans, Virus’s and Worms however business users were all least aware of malware threats such as Crimeware as indicated in Figure (XXX)

Survey respondents who reported they used their smartphone for personal use only were excluded from the following analysis.7 out of 10 business users confirmed they were not aware of any specific smartphone security policies at work (Figure (XXX)

The awareness of security for iPhone smartphones is low as user’s perception of Apple and Mac OS is that it is impervious to malware infection. Research shows that iPhone users have the least amount of antivirus installed on devices. As discussed earlier, users are completely reliant on Apple to vet all applications for malicious code, whereas Android and Symbian applications are open source so users may inspect the contents for malware.

secure smartphone model, least security aware group

Android users are the most security aware demographic group as the typical android user is conscious that malicious software exists and the android community are able to vet applications themselves. Android users were also the highest security aware group with the highest percentage of antivirus products per smartphone.

Virtual environments, least secure smartphone perception

Blackberry smartphones were the most secure devices in regards to email, network connectivity however it was found that application signatures can be purchased by anyone for a small fee thus rendering the security of the device minimal.

Very secure aspects, not as secure overall

Symbian smartphones are found to be the most current common target for malware developers.

Low security

Windows phone 7 is the newest platform on the smartphone market and only time will tell how secure the device is.

Awareness and concern

5.0 Smartphones

Private and confidential data from lost or stolen mobile devices such as laptops, USB pen drives and computer storage drives has gained negative exposure within the media recently however one of the largest growing threats to corporate information comes from unsecure smartphones.

To understand this statement it is important to appreciate the history of the smartphone to recognise why smartphones pose such a threat in today’s business environment.

A mobile phone is a portable electronic device used to make and receive telephone calls. The mobile phone was first revealed by Dr Martin Cooper from the company Motorola in 1973, it was not until ten years after Dr Cooper’s demonstration that Motorola released its flagship mobile phone the ‘DynaTAC’, this was the world’s first commercially viable mobile phone (Motorola, 2009).

Originally these devices were commercially targeted at businesses and upper class individuals as the cost of the device was very high and the actual usage was severely restricted, due to the technology limitations at this time of battery weight (Motorola, 2009) and because the battery duration was limited to last a maximum of 30 minutes thus making the device impractical and available only to businesses and professional consumers.

‘According to Moore’s Law, the number of transistors on a chip roughly doubles every two years.’ (Intel, 2005)

As Moore stated over thirty five years ago, due to the advancement of processors, battery technologies and overall reduced power consumption, mobile phones have become lighter, smaller, more powerful and longer lasting (Intel, 2005). Due to these fundamental technological advancements mobile phones have been able to incorporate additional existing technologies such as camera units, sensors, speakers and often take advantage of JAVA based applications and features, thus coining the term ‘Feature phone’. Feature phones are more advanced technologically than mobile phones however now

Smartphones currently reside in the top tier of mobile communication technology.

The term ‘smartphone’ is ambiguous and many experts fail to agree on a suitable definition. Most smartphone features are not exclusive to a particular category, this project does not intend to make that definition, however for the scope of this project I have listed combined definitions and compared current smartphone f