Mobile
2/3/2014
02:35 PM
Marilyn Cohodas
Marilyn Cohodas
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Infographic: Mobile Security Run Amok

Where is your organization in the battle over mobile device management and security?

2014 marks the 10th anniversary of the world's first mobile malware, Cabir. In the decade since, the incidents of mobile malware have increased dramatically. Yet, according to InformationWeek's 2013 enterprise security survey, the majority of security pros still don't have a clue about what devices are accessing their networks.

Where is your organization in the battle over mobile device management and security? Check out the graphical depiction of the research below, then let's chat in the comments about the challenges you face.

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/3/2014 | 2:55:29 PM
No Clue? The 45 percent
Can it be true that nearly half of respondents allow all users on to the network if they agree to policies that no one enforces? How typical is that? 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/3/2014 | 3:16:15 PM
Re: No Clue? The 45 percent
Marilyn, In my discussions with practitioners, it's more common that you'd think. The usual justification is that HR requires employees to sign a form where they promise to observe some set of rules and policies. However, as we saw with Edward Snowden, those forms aren't worth the paper they're printed on if the employee decides to misuse mobility. There's also the problem of well-meaning but clueless users who use "0000" as a passcode or stick a post-it note to the back of their tablets with email and SaaS passwords.

Wny not put enforcement in place? Usual reasons are the business won't stand for it (or pay for it)and/or the MDM/MAM market is still too fragmented given that they support multiple platforms.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/3/2014 | 3:19:37 PM
Re: No Clue? The 45 percent
I certainly understand that trying to stay on top of mobile security is like shooting a moving target. Yet it seems to me that it  is equally absurd to spend the time developing policies if you know you can't enforce them. 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
2/3/2014 | 4:28:01 PM
Re: No Clue? The 45 percent
Surely, there must be some MDM vendors out there that support the big three: Android, iOS, and Windows Phone.
WKash
50%
50%
WKash,
User Rank: Apprentice
2/3/2014 | 4:44:13 PM
Re: No Clue? The 45 percent
It does seem that some of these respondents' companies are inviting trouble. For those trying to figure out what baseline to use to improve their BYOD policy, here's what the US CIO issued to agencies nearly 18 months ago:
A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs

Contents http://www.whitehouse.gov/digitalgov/bring-your-own-device#key-considerations
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/3/2014 | 8:13:53 PM
Re: No Clue? The 45 percent
BYOD brings significant benefits to business and improves the efficiency at least one fold. But the security threat is always a headache of IT department. Last month my company pushed the installation of new security software on our BYOD device so that the security is enhanced when accessing company network to download email. The installation process is rather tedious and time-consuming. Furthmore, I do doubt its effectiveness. The stringent policy is good for security but if you cannot enforce it easily, then it's really something of vain.
PeteJW
100%
0%
PeteJW,
User Rank: Apprentice
2/4/2014 | 4:16:32 AM
Re: No Clue? The 45 percent
Part of the issue is also understanding that users too are sensitive to heavy handed IT policies and controls that potentially effect their own privacy. That's why businesses are supplementing standard devuce controls with app and contatent management - especially techniques to isolate and secure business and personal content -at rest and in-flight. If they don't do this effectively (across multiple devices and silos) without adding more burden on IT and a usability tax on the user, then the device will be left at home, become an office paperweight, or as research indicates compromise a business. Whatever the case everyone loses.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/4/2014 | 6:33:00 AM
Re: No Clue? The 45 percent
"The installation process is rather tedious and time-consuming. Furthermore, I do doubt its effectiveness."

That's a killer assessment, especially from someone who is tech-savvy and not your typical end-user/employee. If a tough, unenforceable BYOD policy turns off even the "believers," then mobile security has truly run amok. There must be a better way.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/4/2014 | 6:35:53 AM
Re: No Clue? The 45 percent
Thanks, PeterJW. What are the  "techniques you've seen that are effective in controlling BYOD. Are you speaking of policies or technologies or a combination of the two. 
PeteJW
50%
50%
PeteJW,
User Rank: Apprentice
2/4/2014 | 7:43:10 AM
Re: No Clue? The 45 percent
Hi Marilyn - Definitely a combination - What I personally consider key is having the management flexibility in  the tools and tech to not only ensure a policy is enforced, but actually deliver the flexibility needed to guide its development -- especially if policies start off too rigid/control-centric and are being ignored.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youíre still focused on securing endpoints, youíve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.