Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


The Portable Puzzle

Solutions for managing security of mobile systems and portable storage devices still elude many enterprises

When it comes to developing solutions for managing the security of mobile and portable storage devices, IT executives' attitudes can be summed up in one word: frustrated.

That's the word that best describes the responses we've received to Dark Reading's portable and mobile security survey over the past month. Security professionals say they are frustrated by their inability to enforce policies for securing mobile devices, and their inability to find adequate technology solutions among a plethora of rapidly-developing products.

As we saw in Part 1 of our survey analysis last week (See No Wires & No Policies.), corporations and large organizations are having trouble developing enforceable policies for securing portable devices. While 42 percent of respondents said their organizations maintain an "unplugged" philosophy for most users, approximately 61 percent said they either haven't got a policy for removable storage devices, or their organizations were vulnerable because their policy was unenforceable. About 28 percent of respondents said their policies for mobile device management were either nonexistent or unenforceable.

A major reason for these policy shortcomings is the dearth of viable technology for managing the security of devices that travel outside company walls, security professionals say. In our survey, 47 percent of respondents said current products for managing removable storage were inadequate or nonexistent; about 46 percent said the same is true of products for securing mobile and wireless devices.

A shortage of adequate encryption technology is one problem, IT executives say. "The most frustrating aspect of securing mobile devices and storage media is trying to find a way to implement encryption that works for all our users around the globe," says Greg Lyons, security research analyst at a major consumer-packaged foods company. "Different countries today have widely varying laws on decryption, and regional solutions are no help, because our users often travel between jurisdictions."

Other respondents are exasperated by the myriad of portable technology available on the consumer market, much of which ends up in their users' pockets. "New devices from Best Buy should be left home or at the door," says David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "The company should provide the tools or access required."

Some security pros say there may be adequate solutions on the market, but they are so overwhelmed with new product information that they can't make heads or tails of it. "Nobody can keep up with all of the new technology," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment.

And others say the price tag for current solutions is simply too high. "It's not so much that the products are inadequate, it's that they are unrealistically expensive for the small- to mid-sized company, or a not-for-profit like us," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif.

Vendors, not surprisingly, disagreed with the survey respondents' assessment. Officials at companies such as SecureWave and Reflex Magnetics, both of which offer tools for managing and securing removable storage media, say their challenge is simply getting the word out to IT staffers who don't know there are viable products on the market to solve the remote device security problem.

By a wide margin, security professionals' greatest concern about mobile and portable devices is simple loss or theft. Some 62 percent of respondents ranked laptop theft as one of their top two concerns, and 37 percent ranked loss or theft of removable storage media in the top two. Introduction of malware via portable storage devices was cited by 29 percent of respondents; 22 percent were concerned about penetration of Wi-Fi or other wireless data network connections. Only 16 percent expressed high anxiety about the loss or theft of PDAs or other mobile devices; just four percent were worried about eavesdropping on cellular calls.

Interestingly, however, only one percent of respondents have actually experienced a security violation through mobile or portable storage media, and only 26 percent of respondents cited the threat of attack as the primary driver behind their mobile and portable security initiatives. The most frequently-cited driver for mobile security efforts was a general push for better security across the enterprise (30 percent), followed by compliance with Sarbanes-Oxley or other regulatory standards (25 percent).

No matter what their motivation, though, survey respondents wish they could find products and vendors that fit better with their existing environments. "Every [vendor] has a better way of doing things and has included special features in their applications," Kubista observed. "But it's all useless if it takes forever to map that application to a business process."

— Tim Wilson, Site Editor, Dark Reading

  • Reflex Magnetics Ltd.
  • SecureWave S.A. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-22
    graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
    PUBLISHED: 2020-02-22
    Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
    PUBLISHED: 2020-02-22
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
    PUBLISHED: 2020-02-22
    This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
    PUBLISHED: 2020-02-22
    This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...