Mobile Malware: The Enterprise at Risk

Today's business-class smartphones have the same memory, processing power, and application capabilities that PCs had in the early part of this decade. They also run full-blown operating systems (OSs) such as Symbian or Windows Mobile. Besides the cellular connection, many of them have multiple options for moving data in and out, including Bluetooth and universal serial bus (USB) interfaces. These characteristics are a major reason why handsets have become an attractive target for writers of viruses and other forms of malicious software, or "malware." There are at least three reasons why malware should be viewed as a potentially critical security threat by CIOs and IT managers:

Vulnerability: Nearly all mobile malware has thus far targeted handsets that run a full-blown OS: Palm, Symbian, Windows Mobile, and, to a lesser extent, BlackBerry. These smartphones typically cost $300 to $700, which means they're usually provided only to executives and management. As a result, the people with the most to lose – e.g. address books with key company and customer contacts – are also in the best position to lose it. Meanwhile, smartphone prices are falling, which improves the business case for offering them to a wider range of employees, and thus increases the enterprise's vulnerability.

Cost: Although most mobile viruses (so far) cause little damage to handset functionality and stored data, their financial impact shouldn't be underestimated. Their damaging effects include lost employee productivity and increased IT support costs; users can also be socked by larger wireless bills from malware that causes the phone to send text messages – without the user's knowledge – to premium services that are charged to the phone account. Unless employees and managers scrutinize wireless bills, such charges can slip through. If the charges are so large that they're impossible to overlook, the enterprise can incur additional costs in terms of personnel hours spent disputing them with the wireless carrier, which might not be willing to issue a refund.

Risk: If a smartphone is used to store or access client information, malware can put that information at risk. As a result, the enterprise may run afoul of regulations and laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. Even if the handset is used to access that information rather than store it – for example, using cellular to connect to the company's server – malware can place it in jeopardy. For example, FlexiSpy is a keystroke logger that could be hacked into a Trojan for collecting information such as text messages and IP addresses visited by the phone's browser.

This report evaluates the potential impact of mobile malware on enterprise telecom and IT resources. The report identifies the potential entry points of malware programs and assesses the threat level that each potential trouble spot poses to the enterprise. It also surveys anti-malware products and solutions available from wireless service providers, handset makers, and third-party security software companies. Finally, it includes a full set of “Insider Tips” – guidelines and procedures that enterprise telecom and IT departments should consider to minimize exposure to malware risk. This report provides critical data and analysis for a range of industry participants, including:

Enterprise/IT managers and decision-makers involved in planning and administering enterprise mobility operations and applications

Manufacturers of smartphones and other enhanced mobility devices

Suppliers of mobility-enabling software and operating systems

Wireless service providers

Investors evaluating the competitive positioning and long-term prospects of startup and established suppliers in the anti-malware product sector