debunking mobile security myths

As with the rapid adoption of any trend, mobile in the enterprise has generated its share of myths. It seems that for every solution enabled by mobility, there is a common misconception about user privacy, security and compliance. For instance, though Android malware generates headlines, a recent survey found that data loss was more concerning to IT, than malware (75% versus 47%)

In this article, I will define and debunk 5 of the biggest mobile security myths surrounding BYOD and mobile security and offer some advice on how to better protect your organization, and your users.

1. Mobile Malware is the Biggest Enterprise Mobile Threat

While the heavy focus on mobile malware in the news might lead organizations to view it as an imminent threat, it’s not. A recent Linkedin Information Security Community survey shows that the media hype cycle has not spilled over into enterprise IT. In fact, the survey highlighted that the large majority of organizations saw data loss as their top priority -- well ahead of mobile malware.

Mobile malware at this point is largely Android-specific nuissance-ware linked to SMS toll scams. Once you dig deeper into the details of many of these “reports” you can see that the malware issues are largely found outside of the U.S. and affecting people downloading apps from third-party stores, NOT in the Google Play Store.

2. Mobile Device Management (MDM) Provides a Foundation for Mobile Security

MDM products have certainly helped usher in the bring your own device (BYOD) era by facilitating the use of mobile devices in the enterprise. However, harvesting the device-level insights that MDM products provide can only produce a small subset of the data needed to make strategic security decisions. What enterprises require is comprehensive visibility to inform a complete mobile security strategy, not just basic device-level tactics.

Enterprises know that data on the device is half their concern; the other half is transfer of mobile data into the cloud. Therefore enterprises want to know what apps users are leveraging to access and relay data and where ultimately is that mobile data being stored; on the device or in the cloud. Gathering insights with this level of granularity allows enterprise security teams to clearly define their security risk and, as a result put the right solutions in place to manage the risk accordingly.

3. Steering Clear of BYOD Means Keeping Data Secure

Over 28% of corporate data is accessed through mobile devices and trending upward. Users access this information with specific apps, manipulate this data in others, and then potentially store it in the cloud. The result is that a specific piece of data has effectively been copied several times, and has left a digital "paper" trail everywhere. This flow of data is happening on a regular basis across the tens of thousands of mobile productivity apps regardless of the fact that a company chose to "avoid" having a BYOD program.

4. Control Features Should Be Implemented As Soon as Possible

A common tactic in security implementations is to control and restrain user activity. The problem with this control-first approach is that it might result in a costly tactical implementation that does not match up with the actual security risk.

For example, before putting a solution in place that could prevent mobile users from using cloud storage services, it would be worthwhile investigating the most popular service among a company's user community. It is quite possible that the users’ preferred cloud storage service meets all key enterprise security requirements and could be leveraged as a corporate standard, which is a more effective approach than using controls to shut it down.

Learning Opportunities

In any case, we've seen time and again that users simply go around these controls anyway, so this is not a viable solution.

5. Security Features Must Be Deployed Regardless of What Users Think About Them

The entire BYOD wave has been driven by users look for new ways to be more productive in the workplace.Attempts to curtail that productivity through restrictive controls does not reflect well on the IT, as it can be easily perceived as a force of counter-productivity.

Many enterprises are even going so far as to implement and enforce app blacklists on BYOD devices; keeping users from leveraging their smartphones for personal entertainment apps like Netflix and Angry Birds. Unfortunately, the direct result of these policies is not increased productivity, but rather circumvention. Users have shown themselves to be highly effective in circumventing mobile security controls with nearly 60% of them having done so to get their jobs done and when given a choice, they will simply not participate in BYOD programs by forcing them to choose personal pleasure over business.

Mobile security is a relatively new and is rapidly evolving as organizations work to keep up with the user adoption that sparked BYOD, as well as the ever-advancing moving mobile ecosystem, which constantly changes to accommodate new technology. It goes without question that there would be some growing pains as organizations try to accommodate this move to mobile without compromising security. By taking a more strategic approach, organizations can optimize BYOD -- enabling users, while keeping data secure.

Image courtesy of sibgat (Shutterstock)

Editor's Note: Looking for more on mobile security? Check out How Secure are Your Mobile Devices? and Three Barriers to Securely Mobilizing SharePoint.