Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

The Portable Puzzle

Solutions for managing security of mobile systems and portable storage devices still elude many enterprises

When it comes to developing solutions for managing the security of mobile and portable storage devices, IT executives' attitudes can be summed up in one word: frustrated.

That's the word that best describes the responses we've received to Dark Reading's portable and mobile security survey over the past month. Security professionals say they are frustrated by their inability to enforce policies for securing mobile devices, and their inability to find adequate technology solutions among a plethora of rapidly-developing products.

As we saw in Part 1 of our survey analysis last week (See No Wires & No Policies.), corporations and large organizations are having trouble developing enforceable policies for securing portable devices. While 42 percent of respondents said their organizations maintain an "unplugged" philosophy for most users, approximately 61 percent said they either haven't got a policy for removable storage devices, or their organizations were vulnerable because their policy was unenforceable. About 28 percent of respondents said their policies for mobile device management were either nonexistent or unenforceable.

A major reason for these policy shortcomings is the dearth of viable technology for managing the security of devices that travel outside company walls, security professionals say. In our survey, 47 percent of respondents said current products for managing removable storage were inadequate or nonexistent; about 46 percent said the same is true of products for securing mobile and wireless devices.

A shortage of adequate encryption technology is one problem, IT executives say. "The most frustrating aspect of securing mobile devices and storage media is trying to find a way to implement encryption that works for all our users around the globe," says Greg Lyons, security research analyst at a major consumer-packaged foods company. "Different countries today have widely varying laws on decryption, and regional solutions are no help, because our users often travel between jurisdictions."

Other respondents are exasperated by the myriad of portable technology available on the consumer market, much of which ends up in their users' pockets. "New devices from Best Buy should be left home or at the door," says David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "The company should provide the tools or access required."

Some security pros say there may be adequate solutions on the market, but they are so overwhelmed with new product information that they can't make heads or tails of it. "Nobody can keep up with all of the new technology," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment.

And others say the price tag for current solutions is simply too high. "It's not so much that the products are inadequate, it's that they are unrealistically expensive for the small- to mid-sized company, or a not-for-profit like us," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif.

Vendors, not surprisingly, disagreed with the survey respondents' assessment. Officials at companies such as SecureWave and Reflex Magnetics, both of which offer tools for managing and securing removable storage media, say their challenge is simply getting the word out to IT staffers who don't know there are viable products on the market to solve the remote device security problem.

By a wide margin, security professionals' greatest concern about mobile and portable devices is simple loss or theft. Some 62 percent of respondents ranked laptop theft as one of their top two concerns, and 37 percent ranked loss or theft of removable storage media in the top two. Introduction of malware via portable storage devices was cited by 29 percent of respondents; 22 percent were concerned about penetration of Wi-Fi or other wireless data network connections. Only 16 percent expressed high anxiety about the loss or theft of PDAs or other mobile devices; just four percent were worried about eavesdropping on cellular calls.

Interestingly, however, only one percent of respondents have actually experienced a security violation through mobile or portable storage media, and only 26 percent of respondents cited the threat of attack as the primary driver behind their mobile and portable security initiatives. The most frequently-cited driver for mobile security efforts was a general push for better security across the enterprise (30 percent), followed by compliance with Sarbanes-Oxley or other regulatory standards (25 percent).

No matter what their motivation, though, survey respondents wish they could find products and vendors that fit better with their existing environments. "Every [vendor] has a better way of doing things and has included special features in their applications," Kubista observed. "But it's all useless if it takes forever to map that application to a business process."

— Tim Wilson, Site Editor, Dark Reading

  • Reflex Magnetics Ltd.
  • SecureWave S.A. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
    Edge-DRsplash-10-edge-articles
    Cybersecurity: What Is Truly Essential?
    Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
    Commentary
    3 Cybersecurity Myths to Bust
    Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google Maps is taking "interactive" to a whole new level!
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-18194
    PUBLISHED: 2021-05-17
    Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
    CVE-2020-18195
    PUBLISHED: 2021-05-17
    Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
    CVE-2020-18198
    PUBLISHED: 2021-05-17
    Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
    CVE-2020-21831
    PUBLISHED: 2021-05-17
    A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
    CVE-2020-21842
    PUBLISHED: 2021-05-17
    A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.