Government // Mobile & Wireless
News
11/1/2013
01:23 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

It's Not 'Mobile Security,' It's Just Security

Mobility and BYOD are no different from any other IT security challenge, so it's time for an integrated approach across all the ways people work.

InformationWeek Green -  Mar. 4, 2013 InformationWeek Green
Download the entire November 4, 2013, issue of InformationWeek, distributed in an all-digital format (registration required).


Not a day goes by that some headline isn't screaming about the existential threat posed by mobile computing. Attacks are up some astronomical percentage! Gen Y employees won't follow the rules! App stores are breeding grounds for malware! We even have breakout conferences within conferences to hash out mobile security. The number of respondents to InformationWeek's 2013 Mobile Security Survey jumped about 32% over 2012. The device type and platform diversity in bring-your-own-device programs is apparently causing so many problems that IT teams just want to pack up their servers, send everything to the cloud and go home.

Hold on a minute. Mobile security isn't something you can buy, so put down the checkbook, back away from the MDM system and realize that what we have here is a process and a trust problem.

I don't blame CIOs for feeling like a deer in the headlights. But I do blame many of them for thinking that mobility is different from any other IT security challenge. Heck, the risks aren't even new. The big increase in concern simply highlights the bad process, communications and technology decisions that most infosec teams have made over the past 10 years.

Take a look below at the "Top Five" checklist from a major mobility and IT security provider (which shall remain nameless):

1. Label all mobile devices with user and company information.

2. Require a user to authenticate to the device using a security password.

3. Define authentication features, such as password expiry, attempt limits, length and strength.

4. Ensure that all devices have timeout mechanisms that automatically prompt the user for a password after a period of inactivity.

Report Cover
Our report on the state of mobile security is free with registration. This report includes 52 pages of action-oriented analysis, packed with 45 charts.

What you'll find:
  • What enterprises should look for in mobile security
  • Advances in mobile device management
Get This And All Our Reports

5. Prevent mobile devices from downloading untrusted third-party applications over the wireless network.

Now remove the word "mobile." Yeah, 1995 called -- it wants its security boilerplate back. This advice applies to every network-connected IT asset you own, including laptops, desktops and servers, so why are we all so panicked?

Because sometimes, panic serves a strategic purpose.

The fact that the mobile malware risk is vastly overstated can be good for IT. It's difficult to get users to pay attention to, or executives to spend time and money on, something they don't perceive to be a problem. A first step is often to sow some fear. For example, a few years ago my consulting company was hired to perform a physical security assessment for a financial firm that had a problem with tailgating -- employees regularly propping open doors to secure areas. Management resisted change, saying the culture of the company emphasized openness and customer service, and therefore didn't want to force people to wait for admittance ... even after the CISO pointed out that an attacker could waltz into the network. So the CISO did something a bit risky: He asked us to send a stranger into the building to steal a purse. We did so easily. Remember, that CISO had spent two years trying to get basic physical security processes in place, to no avail. When the "victim" couldn't find her purse, and thus her car keys, chaos ensued. News of the incident spread. Of course, we gave the purse back about 15 minutes later, but the issue of open doors and the associated risk immediately took on a very different light.

To read the rest of the article,
download the November 4, 2013, issue of InformationWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sharronstone
50%
50%
sharronstone,
User Rank: Apprentice
11/23/2013 | 9:43:49 PM
re: It's Not 'Mobile Security,' It's Just Security

Look, by now everyone knows that BYOD is a big security headache, but the solutions are not really going to always be boilerplate. IT departments are going to have to rise to this challenge and be innovative about the solutions and products they choose for BYOD. Our doctors started using their smartphones and tablets to text doctors and admin info because it is so easy for them to do so, and it was fast. Didn't matter that it was not HIPAA complient and loss of patient info could be a big lawsuit for us. We were able to at least get them to use a HIPAA complient text messaging app (Tigertext), but it shows how fast certain types of professionals are moving away from PC/Desktop to mobile devices and that they will use them in a way that can cost a business a lot of money unless the correct device purchasing startagy is used. More info: tigertext.com
AG4IT
50%
50%
AG4IT,
User Rank: Apprentice
11/5/2013 | 2:08:51 PM
re: It's Not 'Mobile Security,' It's Just Security
You are correct that many of the security challenges mentioned apply to more traditional devices as well, and not just mobile devices. However, mobile devices do present some unique challenges.

Security risks (lost devices, access to sensitive data) are definitely a part of mobile computing. However, these risks can be reduced by keeping data and applications separate from personal devices. That means that there's no sensitive data exposed if an employee's device is lost or stolen.

This can be achieved with solutions like Ericom AccessNow, an HTML5 RDP client that enables users to connect from most types of devices to any RDP hosts (such as VDI virtual desktops or Windows Remote Desktop Services) and run full Windows desktops or applications in a browser tab.

There's nothing to install on the end user devices, as you only need an HTML5-compatible browser so using AccessNow also reduces IT support costs, since IT staff don't need to spend time installing software on so many different platforms. All they need to do is give employees a URL and login credentials.

Download this free white paper for some additional ideas on securely managing the mobile workforce:
http://www.ericom.com/WP-Mobil...

Please note that I work for Ericom
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.