Courtney Macavinta
It's no longer uncommon to see people in the back of a cab, at the doctor's office, in the hallways at work, or at a business lunch typing away on their BlackBerry devices. Companies -- and even government and emergency service workers -- have become dependent on such wireless email tools. It's easy to see why: Being reachable at all times, and being able to conduct business or respond from anywhere, is an appealing proposition for today's increasingly mobile workforce.
The growing popularity of wireless email devices was never more apparent than during the recent court battle between the maker of the BlackBerry and a Virginia company that asked a court to shut the service down in the midst of a patent dispute. The threat of losing BlackBerry access sent shudders through many workplaces.
Today, more than half of European and North American companies now use some type of mobile email application from handheld devices to smart phones, according to Forrester Research. For CIOs, supporting wireless email brings up concerns beyond the future of BlackBerry. Wireless email devices raise the question of whether this new and convenient communication method poses threats that could put a company at risk. And the answer, experts say, is: yes.
"Imagine your doctor wirelessly emailing your medical records from his handheld device -- in my experience, about 95% of the time this will be done with substandard security in place," says Cyrus Peikari, founder of the Mobile Antivirus Researchers Association. "Do you really want passersby on the street to be able to sniff your lab results over the air?"
To get a handle on wireless email -- and to securely provide access to employees via handheld devices, mobile phones, or laptops -- experts say CIOs need to take precautions.
"CIOs need to pay attention to the fact that wireless email is another avenue of attack -- from viruses to the fact that the devices can be easily stolen," says Simon Tang, senior manager for security and privacy services at Deloitte & Touche Canada. "Wireless email devices are more like a little laptop than a cellular phone."
Know the threats
Email has taken on new meaning in many organizations. It can be used for legal discovery. Many regulations require that email containing client communication about financial statements or accounting, for example, be maintained for long periods of time. And email can be a catalyst for breaching corporate trade secrets, customer privacy, or other confidential information. As such, wireless email creates new security challenges on these fronts:
Transmission "People need to be concerned about what type of messages they are sending and receiving with these wireless devices," Tang says. When an employee sends an email from a handheld, for instance, it's usually securely sent to a company's email server and then forwarded. During the forwarding process the email could be vulnerable to interception, however. Or, as is often the case, many wireless email device users don't actually send emails. Instead they communicate via peer-to-peer text messages that don't go through a company's email server and are not saved as a copy on their desktop computer, Tang says. So these messages totally bypass a company's email protocols and policies.
Viruses Many wireless email devices allow the use of popular instant messaging programs, which are conduits for viruses. "Viruses are a growing concern for handhelds," Peikari says. "We have already seen blended threats and multi-platform malware. And future threats will be worse." Once a virus is loose on a handheld device, it can cause the same damage as it does in the desktop world -- destroying data, breaching databases, and stealing information.
Theft The nature of a mobile device-is to be very easy to lose, Tang notes. So if a company doesn't have the right controls in place, then whoever finds a misplaced device -- or steals it -- can get access to a firm's email, contact lists, or other company information.
Set security standards
When it comes to wireless email, Robert Parker, author of an upcoming IT Governance Institute book on privacy, Information Risks: Whose Business Are They?, says CIOs can be proactive by setting an overall security policy that covers polices and procedures for usage.
"Most security policies cover workstations and notebooks," Parker says. "CIOs need to get more specific about mobile devices, and the policies and procedures that employees need to adhere to when it comes to using these devices."
To mitigate risk, security experts have this advice for CIOs:
- Use multi-layer security The key to limiting vulnerabilities when it comes to wireless email devices is to use multiple layers of security. "Handheld devices should have a firewall, antivirus, intrusion detection, and encryption," Peikari says. Also, it's important for IT to set up an automatic process for installing new security patches and upgrading the device's operating system.
- Configure strong passwords The security policy should also include guidelines for how often employees will have to change their passwords for wireless email devices. Tang suggests that if the wrong password is input more than 10 times, the device should be configured to wipe its disk or lock.
- Limit peer-to-peer or personal use Especially if a wireless email device is being used to communicate with clients, those messages in most cases need to be archived on company servers. If employees use a handheld's peer-to-peer messaging capability, a copy of the message won't be saved properly. Parker says a CIO's policy should require that employees use company-issued devices. CIOs also should institute guidelines for peer-to-peer messaging -- or prohibit it all together. "Otherwise you won't have that same 'paper trail' which you need to comply with some regulations," he says.
- Educate employees CIOs should not assume that employees know the risks associated with wireless email and should take the time to educate them. Peikari suggests organizing in-person training sessions to make sure all wireless device users understand the security concerns and best practices.
Wireless email no doubt stands to increase the efficiency of many organizations and improve overall communication, but only with the right safeguards in place, Tang says.
"These devices are another asset CIOs need to manage just like desktops and laptops," he adds.
Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post.