Feds want mobile security, except when they don’t
Mobile security is assumed to critical to an agency’s overall IT security, but details on the effectiveness of such programs are scarce, making it hard to assess the overall risk from mobile devices.
A study by the Ponemon Institute and cybersecurity company Lookout of nearly 600 IT and security executives at major organizations, including those in the public sector, shows the risk from mobile devices is great and increasing. In fact, the majority of the study respondents believe mobile is a root cause of breaches.
Some 83 percent say mobile devices are susceptible to hacking, and over two-thirds said it was certain or likely that their organization had a data breach caused by employees accessing sensitive and confidential information using mobile devices.
At the same time, only 33 percent of the respondents said their organization was vigilant in protecting data from unauthorized access. Even more startling, nearly 40 percent didn’t even consider protection of that data on mobile devices to be a priority.
Perhaps that’s not surprising when, according to the study, most of these IT security professionals didn’t know what their employees were really accessing on their devices. Those who said they did know thought the data was mostly email and text, when, in fact, personally identifiable information, customer records and confidential and classified documents made up a large part of it.
One of the biggest problems for security pros is translating this kind of information into the hard dollar damage that executive leaders look for to put a price on breaches. Ponemon takes a tilt at that figure, concluding that dealing with mobile devices with malware on them could cost over $26 million for the organizations in the study.
The inconsistent thinking over the utility of mobile devices and the security problems they pose is not new. A survey in 2014 by the Government Business Council found that 72 percent of federal government employees back then said they used mobile devices for work, and over half saw mobile security as one of the major challenges to expanding use of mobile. Yet less than one-third used any kind of mobile security app.
Despite all of this seeming inattention to mobile security, things seem to be improving. Last year, the Office of Management and Budget put out a cybersecurity memo that directly addressed mobile security, and the National Institute of Standards and Technology came out with a draft guide for securing mobile devices -- both moves indicating the importance of keeping mobile devices and the data they hold secure.
What, then, to make of the recent kerfuffle over the FBI getting a court order requiring Apple to break the strong encryption on an iPhone used by one of the terrorists who gunned down government workers in San Bernardino, Calif., in December?
The merits of the FBI’s argument (or of Apple’s pushback against that order) aside, this argument has implications for overall mobile security. If the FBI wins the debate and Apple must write iOS code that allows the FBI and other law enforcement and intelligence agencies to break into phones, that weaker security could compromise every other mobile user.
Strong encryption has been proposed as a universal solution for protecting data on mobile devices. It might not stop the most determined attacker, but it will prevent most of the bad actors from stealing whatever data is on a device. The Obama Administration itself has pushed for encryption, and the Ponemon report in its study found it was the most preferred means of securing data.
Recently, however, Bloomberg reported on what it called a “secret meeting” at the White House around Thanksgiving last year, where senior national security officials ordered government agencies to develop encryption workarounds so that investigators could get to user data as they needed.
All of this seems to throw the issue of mobile security risk -- one of the most important government IT issues -- into doubt, once again. With malware and the attackers who use it becoming ever more sophisticated and capable, any weaknesses will be found out and exploited. For agencies and mobile users, conflicting messages over security sow doubt and confusion.
So, where to now?
This blog was changed Feb. 29 to include Lookout, Ponemon Institute's partner in the mobile risk study.
Posted by Brian Robinson on Feb 26, 2016 at 10:46 AM