Spam costs organizations $712 per employee/per year, according to Nucleus Research. However, these staggering numbers don't even take into consideration one of spam's latest victims: enterprise mobile users. Spam targeted at smart phones is on the rise and becoming a growing security and productivity concern.
Protecting the inboxes of Blackberries, iPhones and other mobile devices requires new thinking. Spam, viruses and phish getting through to a desktop inbox is troublesome enough, but on a mobile device these threats present a unique set of security concerns and consequences, some of which are only just beginning to surface. Here are the problems and measures IT managers can take to combat them.
Distraction and Diminished Productivity: Spam in a mobile environment presents users with a significant productivity problem. Mobile users' time on-the-go is precious. While you can argue it's acceptable for desktop users to spend time weeding out the spam the corporate e-mail security solution allows through (typically 5%-20% of all email), or tracking down false positives, the argument can't fly for mobile users. Viewing, sorting and deleting messages takes significantly more time and effort on a small mobile device than on a traditional desktop. Screen space, storage and user time is too valuable in a mobile environment to dedicate any amount to spam.
Compounding matters, the traditional tools used to deal with false positives (e.g., access to quarantine) will often not be available or will not be easy enough to use on mobile devices, leading to calls to IT which waste the time of several people. So, while some number of false positives may have been deemed acceptable for desktop users, the same number can cripple the average mobile user and present a significant distraction to the organization.
Difficulty Identifying Threats: Many regard the mobile device as inherently more secure than the traditional desktop PC, but because of its interface and limited functionality, it can hinder a user's ability to identify and avoid security threats. A primary concern for IT managers here will be phishing attacks. Smartphone users that do not have an effective security solution in place and are receiving spam or phish, do not have all the tools desktop users can employ to effectively judge which messages can be trusted.
Fonts, headers, images, text and links that may provide users with clues as to the true source or intent of a message may be skewed in a mobile environment. Users that are accustomed to mobile formatting issues may fall prey to phishing messages that they would not have been susceptible to in a desktop environment.
Viruses and Malware: The world of smartphone-based viruses and malware is largely yet-to-be-discovered. But if the past is any indication of the future, it is not a matter of whether these threats will take shape, but when. Because the particulars of how malware will exploit mobile device vulnerabilities are largely unknown, sufficient countermeasures do not yet exist on the devices themselves. This makes it imperative that, whenever possible, threats be stopped before they reach the mobile inbox, especially when you consider the challenge mobile users have in distinguishing threats from valid email.
A New Approach to Mobile Security
The approach to solving these problems is two-fold and must include both a technology and education component. From a technology perspective, you have to use tools that will protect both the desktop and the mobile inbox. While some security solutions may be well-suited for the desktop environment, they often will not adequately support the mobile environment. Keeping this in mind, you will want to consider technologies that are better able to address the unique security needs surrounding a mobile environment.
A best-in-class mobile/ desktop security solution does not necessarily mean the costliest one, but instead the one that has the right approach to the problem. It should yield a spam, virus and phish catch rate as close to 100% as possible. It must also provide the same easy-to-use self-management tools to users of mobile devices that are provided to desktop users to enhance security and reduce calls to IT.
Increasingly, leading e-mail security solutions are incorporating sender reputation components such as sender authentication and domain and IP reputation, and do not rely solely on the content of messages to identify spam. Solutions that rely solely on content analysis typically have higher false positive and spam rates, a frustration to users in a mobile environment. Sender reputation systems will be able to yield a higher spam catch rate, a lower number of false positives and supply both a more secure and productive mobile environment.
But technology alone won't cure the problem. Users must become involved in the security process for a mobile security strategy to be successful. By educating users about potential threats and providing tools to avoid them, IT managers will be able to better mitigate spam attacks and the associated consequences.
Topics to discuss with users include the potential security risks associated with spam, how to identify phishing attempts in the mobile environment, and ways to moderate security risk. Users that proactively manage their personal network of contacts (i.e. manage who they distribute contact information to, what they open, and what they respond to) will inherently be able to operate in a more secure environment.
Industry trends are aligning with this thinking. In a recent report from the Messaging Anti-Abuse Working Group (MAAWG), A Look at Consumers' Awareness of Email Security and Practices, the group offered a number of recommendations to combat spam, and first and foremost is involving users in the security process. The report offers a number of suggestions, including educating users on reporting spam, identifying and handling false positives, and taking advantage of spam reporting capabilities.
By implementing a user-education component within your mobile security strategy, users can serve as the resource closest to the problem, rather than as a potential liability within an effective strategy.When taken together, these steps will allow you to not only address the security threats mobile users are facing today, but begin preparing for those we will surely face in the future. These measures will also preserve the benefits that enterprise smartphone users have come to depend on.
Brown is VP of Engineering at Sendio, Inc.