Mobile computing has become a cornerstone of business productivity. All of the conveniences and benefits associated with mobile computing are obvious to practically everyone. Envision a world without wireless Internet, smart phones and remote access. It is hard to imagine how we could get by without it. Now that’s the rose-colored glasses perspective — but there is a dark side to mobile computing that very few in business want to talk about or address. It is the flip side to all of those conveniences and benefits: the threats lurking, awaiting their turn to exploit the weaknesses inherent in every mobile device.
The Mobile Monster
From the so-easy-a-monkey-can-do-it functionality of iPhones to extravagant laptop “comforts,” there is seemingly nothing we cannot do with our mobile systems. Functionality is advancing faster than IT operations can deploy the technologies that are supposed to take the pain out of our day-to-day work. Therein lies a big part of the problem — your users have business tools that all too many IT shops have not had the time to learn the basics of, much less secure.
The underlying issue with mobile computing is that more effort is going into enabling it than securing it — it is that simple. The security of laptops and smart phones is just not being treated with the same importance and it is creating business risks that many security professionals have never known before.
Mobile security is the elephant in the room. Is it because IT and security staff are too busy? What about users? Given their “Don’t touch it, it’s mine” approach, are they responsible? Is mobile security completely off their radar? I think it is a combination of these issues and a whole lot more. Mobile computing has become one of the most difficult areas of security to manage given the complexity of today’s information systems. Many people have enough trouble securing their immobile systems. Throw hundreds if not thousands of more devices into the mix, and what’s an IT or security professional to do?
In any given organization, there are literally thousands of “islands” of sensitive and valuable information. And we thought the Internet opened up a lot of avenues of attack! The truth is that electronic information has sprouted legs, and we absolutely have to find some reasonable ways to keep it protected. There are compliance pressures from all angles and mobile security is not exempt. This is nothing really new, but a new mindset is required. Past approaches to security (and arguably some current ones) just will not work all that well in the mobile world.
Our Own Worst Enemy
Getting to the heart of the matter, I strongly believe that we humans are at the root of the problem. If anything, people (management, admins, users and so on) are at least inhibitors to decent mobile security. People have asked me what I think is the one greatest threat to mobile security and my answer is always “ignorance.” Based on what I see in my work, the perception of risks on the mobile side of things is just not there. It is a silly (mis)perception because all you have to do is look at the data breach studies. Incident after incident involves mobile devices. And these are only the breaches that people know about. What is going undiscovered and ignored?
This starts with management — and users to an extent — not valuing business assets. It is people essentially ignoring what is at stake and what can (and will) happen. Even with all of the awareness of security issues today, I see minimal leadership coming from the top. That puts the folks in IT in a precarious position. They are often made out to be the bad guys — the amateurs — not properly securing some of the organization’s most precious assets. The thing that’s unobvious to most is that their hands are tied. What is needed to thwart these mobile security threats and vulnerabilities is a culture of privacy and security, but it is just not there.
Many IT and business managers I meet with readily admit that they have not thought about what there is to lose as it relates to mobile computing. End-users are typically of the same mindset. Here are some other weaknesses I see:
• Management being too trusting of employees and outside contractors and visitors;
• Employees being given mobile computing privileges but no one really knows how they are using them;
• Employees being given responsibilities and/or complete reign to manage their own mobile security;
• Mobile security platforms falling outside the scope of security assessments and audits; and
• Mobile policies put in place for show more than anything without any real enforcement.
In many situations, I see pushback on the part of management and users because of the many inconveniences and barriers to getting work done that often result from “improved security.” They are right in many ways. Poorly-implemented security controls — especially on intimate mobile devices — is a recipe for backlash that can lead to even bigger security vulnerabilities in the end.