Everywhere you turn these days, it seems people are talking about the iPhone, which after months of hype finally debuted this summer in a frenzy on par with the latest Harry Potter novel. People around the country literally lined up around the block to spend $600 (plus tax) to get their hands on one, driving home the message of just how far mobile phones have come from the days when they were for — making phone calls.

The popularity of the iPhone has already made it a target for hackers, as widely reported last month by BusinessWeek and other major media outlets
(http://www.businessweek.com/the_thread/techbeat/archives/2007/07/the_price_of_po.html). While it is primarily a highly priced consumer device and thus unlikely to approach the enterprise penetration of the mobile-office-focused Blackberry, Treo and the like, the AT&T-only iPhone will certainly be used by many people for work-related applications. As a security company, McAfee needs to ask the following question: Given the growing popularity of smartphones and traditional cell phones for business use, should the burden of enterprise mobile security lie on the shoulders of the enterprises or the carriers?

Mobile threats
Mobile communications devices and services are generally considered safe, and there is still an enormous gap between mobile and PC threats. But the growth of mobile malware has been outpacing its non-mobile counterpart in recent years. As McAfee reported in February in its 2007 Mobile Security Report (send requests for a copy to service@mcafeemobile.com), 83 percent of carriers worldwide have experienced infections in their network of up to 500,000 devices. And, since the end of 2005, McAfee Avert® Labs has identified 150 new malware variants, bringing the total we are tracking to around 350 — and growing.

Infections can be delivered via message attachments, application downloads, and Bluetooth. But phishing scams and mobile spyware have also become a reality in mobile. And in a new form of social networking, hackers are increasingly using sophisticated verbal tricks to get users to confirm the installation of such malware. (See http://www.avertlabs.com/research/blog/index.php/2006/08/29/school-of-smish/ for more on this topic.)

After all, there's a lot of money in mobile combined with very low risk perception, and McAfee expects Internet threats to migrate as a result — first targeted to feature-rich multimedia phones and later on to all devices.

Onus on the carriers?
Everyone knows how fiercely competitive the mobile market is, so it goes without saying that carriers want to maintain their market position, protect their brand, maintain consumer trust and keep adoption barriers for new services low. But neglecting the mobile security challenge while promoting high-speed mobile Internet access, mobile email, mobile navigation, even mobile payments is not only naive, it also puts the entire mobile agenda at risk of failure. So carriers need to accept mobile security as a cost of fixed-mobile convergence and treat it under the umbrella of "network quality." A number of major cell phone operators have dedicated security teams in place to address this issue.

Onus on the enterprise?
At the enterprise level, enterprises face a difficult decision. Either they start centrally purchasing network-independent and high-priced smartphones for which there are many preventive solutions available, or they go for more reasonably priced carrier devices and depend upon security features provided by the carrier. In reality, most enterprises simply cannot afford to centrally purchase smartphones for their entire workforce (with the exception of heavily vertical-focused process businesses such as UPS, for example). As a result, most enterprises end up in a complete mess of employee gadgets — a mix of old, new, cheap and expensive.

Because it's hard to monitor and control which devices the majority of employees use, mobile security becomes financially and practically impossible to manage. So, while enterprises should (and do) implement solutions to prevent data loss, manage risks from unencrypted data, and avoid mobile/PC malware infections, they also need to select a carrier whose network and devices offer additional security features. And from there they must investigate additional enterprise-specific security and manageability requirements.

A note for the consumer
Because all the pieces of the mobile security puzzle have yet to fall into place, consumers should be careful not to get caught in the cracks. Beside asking their carriers which specific security feature have been implemented, consumers should continue to use PIN numbers, switch off Bluetooth to save power, and try to maintain physical control over their devices at all times. Remember — you can never be too careful.

The future of mobile security?
Enterprises know their particular security needs better than anyone else and will look for solutions accordingly. On the other hand, consumers expect security to be taken care of by the carrier, especially when they are offered advanced mobile data services such as mobile payment or localization service over the same line. Even more important for consumers is the fact that most cell phones do not allow the installation of additional security applications, as opposed to a PC or laptop. Today consumers expect and need security "out of the box," so operators must take security considerations together with cell phone manufacturers very seriously. And they are.

At least for now.

Time will tell how far carrier-provided protection will reach and which security features enterprises will purchase directly (and exclusively) from security vendors to extend their existing security policies to mobile devices. It's an interesting scenario to watch, because it's literally evolving before our eyes, and it's simply too early to predict how it will unfold. In the meantime, we're doing everything we can to safeguard mobile devices, networks and services.

For today and tomorrow.