Sidewinder asks: is that a security threat in your pocket or are you just pleased to see me?

Mobile phones are getting smarter – and so are the bad guys. With the consequences of data loss becoming ever more catastrophic, isn't it about time you started taking your pocket security seriously? asks Davey Winder.

The latest survey of mobile phone security, conducted by data protection specialists Credant Technologies, shows that 99 per cent of those questioned used their mobiles for business purposes. This suggests – or perhaps confirms – that there’s a requirement to get serious about the data security threat in our pockets.

Worrying statistics

Let's stick with the survey for a moment, as it reveals some other interesting statistics. Almost three quarters of those questioned (77 per cent) stored business contacts and 17 per cent downloaded documents and spreadsheets onto their smartphones from the corporate network.

Worryingly, 26 per cent of these business users are doing this after being told by their employer that it is… simply not allowed.

The survey also shows that 80 per cent of folk admit the data on their handsets could easily be used to fake their identity if it got into the wrong hands. That’s before we even talk about the 24 per cent who store PIN numbers and passwords on their phones.

Yet 40 per cent of these people did not protect all this personal data with so much as a simple password. Lose the mobile phone, lose the data and you’re set to lose a lot more than that if the data can be used to compromise your organisation’s information security.

Some trusts get it

Meanwhile, a report on Mobile Device Usage in the Healthcare Sector recently revealed that as many as 35 per cent of healthcare professionals relied on a simple password to secure all their mobile working data, and 6 per cent didn't bother with any security at all.

On the plus side, 35 per cent used encryption and 65 per cent of trusts said they had revised security policies to include mobile device restrictions.

Nottingham University Hospitals NHS Trust is one of the organisations that is taking mobile phone security seriously. It has issued a revised policy covering the issue and the use and security of trust mobile phones provided to staff.

This states that as a very minimum all the security features on trust mobile phones should be activated, and the handset password protected by a confidential PIN. The supplied SIM card should also have the network PIN code activated.

Furthermore, the Vodafone smartphones that it has opted to issue to staff include additional security features. All the data they send and receive is "digitised and interleaved" and "transmitted on ever-changing frequencies with each frame on a different channel."

On top of this, emails between a smartphone and the trust email server and other devices are encrypted using 256 bit Advanced Encryption Standard (AES) encryption.

Not sexy at all

Then there’s the other nasties increasingly associated with mobile phones. Security vendor McAfee recently published its annual mobile phone State of Security report and, frankly, it makes for painful reading. More than half of all handset manufacturers have reported malware and spam incidents, and during 2008 the number of reported attacks doubled to more than one million.

Worse, these attacks are getting increasingly sophisticated. The EconServer worm, which targets handsets running the S60 operating system, spreads via SMS text message. Once installed it destroys certain aspects of the phone’s functionality in an effort to make sure that it can keep replicating.

And then there is Sexy View, which is not as exciting as it sounds. This also spreads via SMS and propagating malicious URLs in order to replicate and to make a connection between the mobile phone and the internet.

Sexy View could be gearing up to build the world's first mobile phone botnet, which would allow the internet connectivity of these devices to be effectively controlled remotely for the purposes of sending spam, spreading more malware and even launching Distributed Denial of Service hack attacks.

As of last year, NHS trusts and other public sector organisations have been required to ensure that any data stored on a "removable device in a non-secure area" is encrypted.

The NHS chief executive has stipulated that there should be "no transfers of unencrypted person-identifiable data held in electronic format across the NHS. This is the default position to ensure that patient and staff personal data are protected." Quite rightly so. As I said at the start, it’s time we all took that security threat in our pockets seriously.