Last month Spiceworks released a study about mobile security in the enterprise – or, as the case may be, lack thereof.
The company found that despite ever-present threat of hacks into corporate systems, corporate IT shops are not investing in mobile device management software or buying mobile device security software, at least not at the levels they should given the deep inroads mobile devices have made in the corporate environment.
Spiceworks found that very few IT departments are monitoring employee usage of their mobile device and in fact, more than 25 percent of the organizations of the IT executives surveyed do not have a formal mobile device policy in place.
It's scary information when you consider that 96 percent of supported smartphone and tablets do have access to corporate data, Spiceworks' Peter Tsai told CMSWire.com. "I would say that there is very likely a lot of vulnerable data out there."
IT ops, though, are not run by stupid people—they know the risks they are taking, Tsai continues.
Too Little Focus on Mobile
The problem, which also was unearthed by the survey, is straightforward: companies are not allocating the necessary resources, budget and time for IT to secure the mobile environment. "The cost of these security software solutions is substantial in many cases. Also, there are still many holes that need to be plugged in the mainstream IT operations," he says.
Cost, though, is just one – granted a big one – reason why mobile security is given the short thrift among companies, according to several people CMSWire.com spoke to about these findings. In part 2 we'll look at steps a company can take, even with a finite budget, to protect as much as possible the mobile piece.
Before that, though, it is worth examining some of the fallacies about mobile security and why IT operations tend to brush it aside.
The early efforts to securing mobile endpoints such as laptops, smartphones and tablets were not very successful. Impressions about the 'hopelessness' of mobile security were formed during this crucial period.
That was in large part to the early adopters taking an "all or nothing approach" with bring your own devices (BYOD) policies, Steve Lowing, Director, product management for Promisec, told CMSWire.com. Companies that did put in place strict controls got pushback from employees, he says.
"Just think about it for a moment: who doesn’t have a kid's game installed on their phone to sooth an upset child at a restaurant or who hasn’t used a corporate VPN connection to access work email or web application to then find their battery dies 5 times faster because of the added drain to maintain a VPN connection."
It’s these sorts of security approaches that have helped light the fire on proliferation of apps like Dropbox and other cloud based file sharing applications to get around the corporate hurdles IT puts in place," he said.
Many IT managers are out of their comfort zone when it comes to mobility. Instead, said Ritch Blasi, senior vice president, Mobile and Wireless at Comunicano, they rely on carriers or third-party companies to help bolster security. "IT departments historically focused on securing LANs, WANs, data storage facilities and employee computers as opposed to mobile devices, apps and services," he said.
At the very least, they know mobile security – and the related policy planning – can be very complex. Complexity ranks alongside budget and time, says iBoss Network Security CEO Paul Martini. The following in particular can make planning a mobile security policy daunting, he said.
- The large variation in operating system platforms running on mobile devices
- The fact that the mobile devices are outside the control of network administrators
- Cameras and recording devices are readily available on mobile devices which can have large security consequences
- Mobile storage on phones and tablets make any phone into a USB drive
"Understanding all of the security risks well is the first step of being able to define a good mobile security policy," Martini said. "Since not all networks administrators are experts in the space, they don’t know where to start."
A lot of the mobile apps being developed are customized — and at the direction of people who don’t understand security. "Most companies start developing custom enterprise mobile apps without using the appropriate tools and this leads to security vulnerabilities being left in their apps," Vik Mehta, COO of VastEdge, said. In some part this is because mobile apps are still new enough that many executives do not fully understand all of the risks. Corporate standards, procedures and policies are still evolving for security and the assumption – which is often false – is that this evolution will include mobile security standards, he adds.
The lack of standards can be daunting. Among small- and medium-size businesses (SMBs), for example, a significant percentage of companies do invest in mobile device security, says Jerry Irvine, a member of the National Cyber Security Task Force and CIO of Prescient Solutions.
The challenge is a lack of standards, coupled with the large number of different service providers, hardware platforms and operating system versions for mobile devices.
"Until a standard is developed for mobile device manufacturers to follow, companies are being forced to have multiple MDM/MAM applications as well as perform many tasks manually to keep systems updated and secure," Irvine. "As a result, it may appear that IT is lax in providing security when in fact there is little more they can do. "
(Tomorrow: Part 2 of "How to Tame Your Mobile Security Dragon."