Schwartz On Security: Should Businesses Track Employee Smartphones?

Is the answer to better enterprise smartphone security to track device location and usage patterns?

The revelation that smartphones track users' location recently caused an outcry, leading to Congressional inquiries, explanations from vendors, and mobile operating system tweaks. From a business standpoint, however, perhaps the reaction should be different.

"Using location-based technology is interesting. It may provide a loss of privacy to the employee, but increased recoverability of the device to the employer," argues Michael Farb, a research programmer at Carnegie Mellon University's CyLab, in a new study. The CyLab report, sponsored by Intel's McAfee, is based on a survey of 1,500 mobile device users--including laptop and smartphone users--in 14 countries.

Martin Griss, director of the CyLab Mobility Research Center, is another proponent of using mobile location data--as well as access patterns--for enterprise security purposes. "Banks already know when my credit card is being used in unusual locations or in unusual ways and immediately try to protect me and limit risk--and the exposure that many companies face is significantly greater than misuse of my credit card," he says in the report.

But it's early days still for monitoring smartphone usage and location data. "Using context other than location is still in its early stages, since most context-aware work is still in the realm of research," he says. Even so, "simple behavior monitoring to detect abnormal patterns, perhaps combined with location, is feasible today, and can significantly strengthen mobile security."

Still, many businesses would do well to start with more basic mobile security tools. Notably, a recent study from Juniper Networks shows that the volume of malware targeting Android devices has increased by 400% since one year ago. But according to a 2010 study from SANS, only 15% of smartphone users employ mobile antivirus tools.

Obviously, despite the much-trumpeted consumerization of enterprise IT, security vendors aren't seeing at-work consumer mobile devices now being treated like enterprise property (which they rarely are). Chiefly, that's because businesses don't want to pay extra for mobile security. Indeed, the Cylab survey found an "apparent unwillingness of the majority of administrators to pay for mobile security products or services."

That raises an interesting question: Should the smartphone ecosystem evolve as a place where end users get their security built in, or else handled via the cloud? Because users seem to expect this today--and mass expectations can carry impressive weight. Witness the unprecedented step taken by a computer OS manufacturer, Apple, telling its users how to uninstall the MacDefender fake AV now infecting many Macs. Apple's move was apparently driven by the fact that its customers expect that anything resembling malware shouldn't exist on their Mac. Next week, Apple even plans to roll out an OS upgrade that will eliminate the MacDefender malware, no doubt helping to eliminate both user frustration and help desk calls.

But one industry analyst said that Apple was being held to an unreasonable standard. "I'm not sure Microsoft provided great advice on malware on Windows PCs, nor did Sun on Solaris or RedHat on Linux--why would anyone think Apple would? That is why the third-party security market exists," said Gartner analyst John Pescatore in a recent SANS Newsbites newsletter. "Depending on the infrastructure to protect the infrastructure hasn't worked yet, won't work any time soon."

Yet that's precisely what most smartphone users and IT administrators today are doing. Security analyst Jeff Wilson at Infonetics says this approach will evolve. But for now, businesses are still cataloging devices, designing related security policies, and perhaps hedging their bets that no major mobile security exploit will happen anytime soon.

Is it reasonable to expect smartphone business users to be doing more? Perhaps, but for now, in mobile device infrastructure we trust.

Recommended Reading: iOS 4 Hardware Encryption Cracked By Forensics Firm The State Of Mobile OS Patching Reduce Your Android Security Risks Android User Data Easily Stolen Mobile Security Needs Executive Involvement How Secure Is iPad? See more by Mathew J. Schwartz

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)