Mobile conferences must be secured, too

Smartphone videoconferencing opens up new security holes and must be prioritized at same security level as other network endpoints, say experts.

Mobile videoconferencing may be a new application for enterprises, but it needs to be treated with the same security priorities as other endpoints in the organization, experts urge.

Eric Hoh, vice president of Asia South region and head of global accounts, Symantec Asia-Pacific and Japan, said in an e-mail interview that the introduction of videoconferencing applications on mobile devices adds new entry points to an organization's threat landscape.

"The 'consumerization of IT' has changed the way the CIO or CSO deals (chief security officer) with the threat landscape," Hoh explained. "Increasingly, employees are using a variety of mobile devices to connect to corporate networks."

Ong Geok Meng, Asia-Pacific and Japan head of anti-malware research team at McAfee Avert Labs, said companies should treat mobile security as they would for PCs because corporate data is exchanged via the devices.

Ong said there have been more instances of software vulnerabilities found in PCs compared to smartphones, but this does not rule out the need to secure mobile devices.

He noted that most organizations today fail to ensure mobile devices are as secured as other devices in their network.

According to a Symantec survey conducted last year, nearly half of businesses in Asia allowed mobile devices to access office e-mail, but fewer than one-third of mobile security policies were implemented.

Paul Ducklin, Sophos' Asia-Pacific head of technology, agreed, noting that companies may bypass traditional security measures when pressed for time.

In a Web conference, for instance, some companies assume keeping invite lists private provides sufficient security because there is lower risk of eavesdropping on a meeting that lasts only an hour or so. "But, an hour is a long time on the Internet clock," Ducklin told ZDNet Asia.

Furthermore, today's communications tools offer more connectivity than organizations may have intended--and correspondingly, more security holes, he added.

He listed examples such as videoconferencing software Skype, that also offer direct file transfer and PC desktop-sharing options. "Systems administrators going for technologies like VoIP (voice over Internet Protocol) and videoconferencing, need to make sure they aren't also unintentionally implementing these features as an unexpected 'side channel' in their online conferencing system.

"If you don't explicitly need these features in your Web meeting, make sure they are turned off. If they can't be turned off, find another Web-conferencing tool that will allow you to do that," Ducklin said.

One security expert thinks companies should wait for the dust to settle before deploying videoconference on the mobile platform. Chia Wing Fei, security response manager at F-Secure's security labs, said in an e-mail interview: "There is always some sort of security risk for early adopters of technology."

Chia highlighted Wi-Fi as an example, noting that it has taken "many security improvements" since the technology's debut before organizations could safely implement the wireless platform.

"The first question an organization should ask is whether they really need mobile videoconferencing," he said.

Communications equipment vendor Cisco Systems recently released a conferencing Web application that runs on smartphone-based Web browsers, connecting its WebEx customers to their mobile warriors. According to Cisco, the application was made available for Apple's iPhone in January. The tool was expanded in February to include BlackBerrys, Nokia, Samsung phones.

Alcatel-Lucent earlier this month also launched smartphone support for its OmniTouch 8400 Instant Communications line of products.