LJWorld.com

Smartphones are poised to become the next major security challenge for businesses.

For now, a good rule of thumb for on-the-go workers is: "If you don't need to do it, don't do it," said Aaron Cohen, chief executive of The Hacker Academy, a Chicago-based firm that provides security training for companies and government agencies. Cohen warned against idly checking e-mail or opening sensitive documents on a hand-held device - unless it's absolutely necessary.

Security experts say that in general, business-oriented smart phones come from the manufacturer with decent built-in safeguards, such as encryption and firewalls.

But consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work.

In a CompTIA survey conducted this year of 1,070 small businesses in North America, 60 percent of firms said they've seen an increase in security issues related to the use of hand-held computing devices in the last 12 months.

Chris Nickerson, a Denver-based security specialist at Alternative Technology, said the concern for businesses is whether these phones "will cause so much of a risk that they will eventually ... just be banned from corporate environments."

Aaron Mog, CEO of Goliath Security in Chicago, said he's preparing for a "whole new generation of security applications - applications for mobile devices and ways to secure access."

Security risks

Laptops, smart phones and PDAs give employees the ability to work from home or travel far from the office, all while transporting the information they need on their mobile devices. But the increasing ease of working remotely is creating a growing set of security concerns for companies.

Workers on the go "still want access to the same data applications that they have if they're sitting at their desk in their office," said Steven Ostrowski, spokesman at the Oakbrook Terrace, Ill.-based Computing Technology Industry Association. "Mobility is a great thing ... (but) every one of those individuals that's accessing the network remotely is a security risk."

So far, there haven't been any high-profile epidemics of mobile viruses like the "I love you" worm for PCs that spread rapidly around the world in 2000. But developers have introduced "proof of concept" malware for cell phones to demonstrate the destructive potential of such worms.

The "Cabir" virus, which made its first appearance in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as "Commwarrior.A," replicated itself by sending a picture or text message to people in the infected device's contacts list.

"I'm sure there may be some things that ... haven't made the front page yet, but it doesn't mean it's not existent," Jeff Falcon, a security specialist at Vernon Hills, Ill.-based computer reseller CDW, said of mobile malware. "It's inevitable with the rapid growth of mobile devices and BlackBerries and smart phones that it's going to shift in that direction."

Unprotected data

Nickerson recalls walking through an airport carrying a suitcase that contained a device that sucked up hundreds of megabytes of contact information and other personal data through unprotected Bluetooth connections.

Nickerson has used the same machine in the offices of his corporate clients. The gadget searches for Bluetooth devices where users haven't changed the manufacturer-provided default passwords. The machine then enters the default password and accesses information through the now-open Bluetooth connection.

"You'll walk through the cube farm and you'll be amazed," said Nickerson, who is featured in a new Court TV program that follows his team as it infiltrates corporate security systems. "You'll look at this hard drive when you're done, and you'll see everything from pictures of people's families to user names and passwords and financial data."

When people take their work out of the office, the threats to corporate security multiply. Someone using a company laptop to send data from a non-secure Wi-Fi hot spot could unwittingly have that information monitored. Neglecting to set new passwords on phones and other devices leaves them vulnerable. There's also the headache of theft or misplacement of phones, external hard drives and pen-size flash drives.

Eric Hines, a former teenage hacker and computer security expert, once passed through an airport security line with a co-worker who accidentally switched his laptop with an identical one owned by the person behind him.

"No matter how great security technology gets, humans will always be the weakest factor," Hines said.

Hines and other security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks increases in volume and value.