Not a day goes by that some headline isn't screaming about the existential threat posed by mobile computing. Attacks are up some astronomical percentage! Gen Y employees won't follow the rules! App stores are breeding grounds for malware! We even have breakout conferences within conferences to hash out mobile security. The number of respondents to InformationWeek's 2013 Mobile Security Survey jumped about 32% over 2012. The device type and platform diversity in bring-your-own-device programs is apparently causing so many problems that IT teams just want to pack up their servers, send everything to the cloud and go home.
Hold on a minute. Mobile security isn't something you can buy, so put down the checkbook, back away from the MDM system and realize that what we have here is a process and a trust problem.
I don't blame CIOs for feeling like a deer in the headlights. But I do blame many of them for thinking that mobility is different from any other IT security challenge. Heck, the risks aren't even new. The big increase in concern simply highlights the bad process, communications and technology decisions that most infosec teams have made over the past 10 years.
Take a look below at the "Top Five" checklist from a major mobility and IT security provider (which shall remain nameless):
1. Label all mobile devices with user and company information.
2. Require a user to authenticate to the device using a security password.
3. Define authentication features, such as password expiry, attempt limits, length and strength.
4. Ensure that all devices have timeout mechanisms that automatically prompt the user for a password after a period of inactivity.
5. Prevent mobile devices from downloading untrusted third-party applications over the wireless network.
Now remove the word "mobile." Yeah, 1995 called -- it wants its security boilerplate back. This advice applies to every network-connected IT asset you own, including laptops, desktops and servers, so why are we all so panicked?
Because sometimes, panic serves a strategic purpose.
The fact that the mobile malware risk is vastly overstated can be good for IT. It's difficult to get users to pay attention to, or executives to spend time and money on, something they don't perceive to be a problem. A first step is often to sow some fear. For example, a few years ago my consulting company was hired to perform a physical security assessment for a financial firm that had a problem with tailgating -- employees regularly propping open doors to secure areas. Management resisted change, saying the culture of the company emphasized openness and customer service, and therefore didn't want to force people to wait for admittance ... even after the CISO pointed out that an attacker could waltz into the network. So the CISO did something a bit risky: He asked us to send a stranger into the building to steal a purse. We did so easily. Remember, that CISO had spent two years trying to get basic physical security processes in place, to no avail. When the "victim" couldn't find her purse, and thus her car keys, chaos ensued. News of the incident spread. Of course, we gave the purse back about 15 minutes later, but the issue of open doors and the associated risk immediately took on a very different light.