John (Mr. John CHIU), Distinguished Guests, Ladies and Gentlemen,

Good morning! I am pleased to address you at this “Mobile Security Conference 2009”. I am particularly delighted to see a big interested audience really concern about mobile security. Of course, I am also much encouraged that we have many honorable speakers today to share with us their experience and knowledge on mobile and wireless security.

Mobile Usage
Nowadays, mobile phone is a wearable fashion just like watches and jewelry. People carry their mobile phones around the neck, in the hand, pocket, briefcase, by the bed or even in bath. An IDC survey conducted in 2008 found that 38% of the respondents would choose their mobile phones rather than their wallets if they had to leave one behind. This is not exaggerating.

Mobile devices are capable of storing and manipulating a large amount of data (in terms of gigabytes) and possess integrated functions including a mobile phone, PDA, USB flash storage, digital camera, radio, audio and video player, GPS and other gadgets. Associated with such convenience, we should be concerned about the security of the data created, captured and replicated.

Mobile Security Risks
Mobile devices often contain some business/personal contacts, account passwords or e-mails. The security issues and threats that we have for traditional information systems are generally applicable to mobile security. Moreover, mobile devices are particularly vulnerable to loss, theft or tapping as well as falling prey to malicious codes or hacking.

Strengthening Mobile Security
Mobile security should be an integral part of corporate information security. Companies should extend their enterprise security policies to mobile facilities to assure equivalent controls and make security requirements a key factor in purchasing considerations. Mobile devices and networks should be configured like other workstations and apply the security tools properly, e.g. encryption, identity management, removable storage protection, timeout setting, device locking, access control passwords etc.

Organisations should conduct risk assessment to identify which company assets may be placed at risk by the mobile devices and networks, and evaluate the associated threats and business impacts in order to devise effective protection solutions. Sometimes, the process may reveal that the data carried or made accessible by a mobile device and the networks it may connect to is more valuable than the device itself.

You may recall that a digital camera holding unencrypted highly sensitive defence information was sold on the eBay. The buyer was subsequently traced and the camera and his home PC were seized. He was reimbursed for the cost, inconvenience and embarrassment but his home was thoroughly searched. He was also warned not to speak to the media.

Government’s Policies and Guidelines
The HKSAR Government has established security regulations and policies relating to mobile security and requires all staff to comply with. There are access control and encryption requirements to prevent unauthorised data disclosure; backup and restore policies to protect against business data loss or corruption; secure communication measures to stop eavesdropping and backdoor network access; incident reporting and handling procedures. We also provide extensive security guidelines on wireless networks for reference by government departments.

To promote the awareness and share our knowledge on information security, we have made available reference information on the above security policies and guidelines on our website (www.infosec.gov.hk) for public access.

Closing
The most important defence relies on people’s discipline. I would like to close by quoting an incident of sensitive information leakage. On 9 April 2009, Britain's most senior counter terrorism officer resigned after he inadvertently revealed a secret document to photographers while exiting his car and walked along for a Downing Street meeting. The document carrying details of an anti-terrorist operation being planned was clearly visible to press photographers equipped with telephoto lenses. The UK Government immediately imposed a restriction to the media from revealing the contents of the picture of the document – which included the names of several senior officers, sensitive locations and details about the nature of the overseas threat. Police were forced to bring their operation forward earlier than planned. Mobile devices are exposed to similar threats.

Ladies and gentlemen, I am sure you are as eager as I am to listen to what our distinguished speakers have to say. I would like to congratulate the Hong Kong Wireless Technology Industry Association, Hong Kong Wireless Development Centre and Hong Kong Productivity Council for their enthusiasm and dedication in organising this meaningful event. I wish you all a very rewarding day and a very successful Conference.

Thank you.

- ENDS -