Can users help solve the mobile security disconnect?
Connecting state and local government leaders
Today’s mobile IT environment -- with all of the issues bring-your-own-device policies and shadow IT mobile bring with it -- represents a starkly different world to secure and manage.
Read any story about cybersecurity these days, and chances are you’ll see at least some mention of the importance of mobile security. That’s for good reason, because mobile is considered one of the greatest, if not the greatest, risk to overall enterprise IT security. Despite this acknowledgement, enterprises are still not doing enough to protect again mobile threats.
At least, that’s the conclusion of MobileIron’s latest quarterly Mobile Security and Risk Review, which details a fairly stark disconnect between the threats faced by both private and government organizations and the protections they’ve implemented.
Despite the noted rise in the number and sophistication of mobile threats, MobileIron found, only 8 percent of organizations are enforcing operating system updates, and less than 5 percent are using the most modern mobile security applications, such as app reputation or mobile threat detection software.
All of this shows that, while the speed at which attacks are developed and implemented is increasing, enterprises are still not doing what they should to protect themselves. This “lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are available,” according to James Plouffe, MobileIron’s lead architect.
Other surveys have come to the same conclusion. A recent Ponemon Institute study, for example, found that a large majority of respondents saw mobile devices as both susceptible to hacking and the probable cause of data breaches in their organizations, but only a third were “vigilant” in protecting their data. Just under 40 percent didn’t even see a pressing reason to protect data on their mobile devices.
Sean Frazier, the chief technology evangelist for MobileIron’s Public Sector Practice and someone who has years of experience working with government, said that while agencies are certainly thinking about doing right by mobile overall, they still don’t have a concept beyond those of basic mobile capabilities.
They’re “struggling to get their arms around the whole mobile app concept,” he said. They are not yet as capable as many other organizations around the world, and they either don’t fully understand the dangers, “or they do, but find they can’t respond as quickly or as well.”
There’s a disconnect with this, he believes. Government overall responds well to most IT security incidents, but it doesn’t seem to understand how to transfer that insight to mobile. When MobileIron goes into agencies and asks to talk to the folks in charge of mobile, he said, they’ll often get shunted over to those in charge of email or other functions -- not to the security people.
Disconnects show up in other areas of government as well. The Obama administration, for example, has been pushing for the increased use of encryption to safeguard at least some part of the IT traffic chain. The Office of Management and Budget last year issued a memo requiring agencies to use HTTPS for all website and services connections by the end of 2016.
At the same time, however, national security officials have been making a concerted pitch to get some kind of back door inserted into operating systems, messaging services, etc. to help them tap into encrypted communications from suspected terrorists. Experience has shown that, if those kinds of workarounds exist, at some point the bad guys will find them and use them to get into government networks and systems.
A basic problem, according to Frazier, is that government hasn’t caught on to the fact that mobile has fundamentally changed how IT should be viewed and managed, with users now much more involved at a higher level. That’s a radical departure from traditional views of mobile where, say, agency IT departments hand out sanctioned BlackBerrys -- with just IT-approved apps and data on them -- to their employees.
Today’s mobile IT environment -- with all of the issues bring-your-own-device policies and shadow IT bring with it -- presents a starkly different ecosystem to manage. Mobile devices today are mobile computers, not just communications devices. And it’s the users themselves, many of whom have been using mobile for their own needs for years, who have the knowledge about how to securely manage the apps and data on their devices.
Frazier said he thinks government will eventually see the utility of users managing mobile security, particularly since major manufacturers such as Apple and Samsung have built sophisticated security management into their devices.
“It’s about time that the user was brought more directly into the conversation,” he said.
NEXT STORY: Phishing scheme targets tax professionals