How To Fix The Gaping Holes In Mobile SecurityIT's juggling laptop policies and Wi-Fi policies and BYOD policies--and the result is unacceptable security gaps.
Remember the TJX security debacle stemming from a poorly protected Wi-Fi network at one of the retailer's stores? Given the result--45 million credit and debit card numbers compromised over an 18-month period and fines and settlements of at least $50 million--you'd think the flawed security mechanism that enabled the attack would be stomped out by now, a full five years after the story broke.
You would, however, be mistaken. Our InformationWeek 2012 Mobile Security Survey shows that 24% of respondents' companies are still using WEP, the technology at the root of T.J. Maxx's problems. And these are people who should know better--every one of the 322 business technology professionals responding to our survey is involved with mobile device management, policy development, and/or security.
The good news is that bring-your-own-device programs have helped push this topic to the fore: 90% of the 946 respondents to a separate survey, our InformationWeek 2012 Strategic Security Survey, believe mobile devices pose a threat to their companies' security now (69%) or that they will (21%). The No. 1 and No. 2 concerns: loss of a device containing sensitive data or an infected personal device connecting to the corporate network.
Mobile security as a focus area is here to stay. But what if we're going about it the wrong way? Smartphones are just computers that fit in our pockets, and ultrabooks are poised to blur the line between tablet and laptop. Most end users don't differentiate between Wi-Fi and 3G/4G access, and carriers want it that way because they see Wi-Fi as critical to combating spectrum shortages. Today, mobile security is end user security is data security. Maintaining two or three separate policies is a recipe for confusion and noncompliance.
Let's delve into the (sometimes disturbing) findings from our survey, then look briefly at how to mesh the realities of mobility today into a unified policy and threat management strategy that will serve us into the future; we go into much more detail on that front in our full report.
BYOD In Full Swing
While 86% of respondents to our Mobile Security Survey either allow or plan to allow personally owned devices, the policies governing them vary widely. Just 40% limit the range of devices supported and require that users connect to a mobile device management (MDM) system, compared with 42% who let all comers on the network as long as the device owner agrees to certain policies--in our experience, that often translates to "trust the user to do the right thing." Ten percent allow user-owned devices with no restrictions whatsoever.
Among company-owned smartphones, BlackBerry still leads the pack, but not likely for long. It's embraced by 70% of responding companies today. However, while our January InformationWeek Research In Motion Survey of 536 IT pros also showed BlackBerry representing a median of 70% of company-purchased devices in use now, that number plummets to 35% when respondents look ahead 24 months. A mere 7% plan to increase their use of RIM products.
So much for that BlackBerry security blanket.
How can we square an ever-expanding range of smartphones and tablets, many of them user-owned, accessing and storing all types of sensitive corporate information with the fact that just 14% of our Mobile Security Survey respondents mandate hardware encryption for corporate data? Especially since 48% say mobile devices have gone missing in the previous 12 months?
We can't--and the problem could potentially be far worse than it seems, since lost and stolen devices dominate our list of 10 mobile security worries. "Since replacing the device itself is relatively cheap, those concerns must be over possibly compromised data," says Craig Mathias, principal at mobile advisory firm Farpoint Group.
IT security pros aren't sitting still. In fact, 60% report that, in a given year, security incidents affected less than 10% of all the mobile systems they manage. But let's not get too cocky: We have many years of experience locking down laptops, which run overwhelmingly on a single operating system. In fact, 33% of respondents say 51% or more of their companies' employees are issued laptops versus 24% saying the same about smartphones and 6% issuing tablets to most workers.
Our advice is to build on what we've learned. There are some basics critical to securing data in use by mobile end users no matter how they're accessing it, and the more unified the policy, the easier it is to enforce.
1 of 3