Mobile Security Is a No-Win Game When Cyber-Criminals Have the Upper Hand

NEWS ANALYSIS: Mobile security is at best a zero-sum game in which the bad guys are the only ones with a positive payoff potential. Corporate network and data security managers can only hope to keep cyber-crooks at bay.

By now, you are likely wondering why I€™m talking about game theory when discussing mobile security. The reason came when I chaired a panel at the NetEvents Americas Press Summit on the topic, and realized that the very best a network security manager can do is keep the bad guys at bay. What€™s worse is that it€™s a battle that you certainly can€™t win, and that the best you can do, if you€™re really lucky, is break even.

To say that the odds are stacked against you is an understatement. One of the panelists, former FBI Special Agent Jill Knesek, who is now head of Global Security with BT Global Services, said that her company performed an analysis of Android apps from Google Play and found evidence of active or dormant malware in about a third of all Android apps.

Adding to the difficulty of maintaining security in the enterprise is the ease of breaking security rules without realizing it. A good example is cloud storage such as Google Drive or Microsoft Skydrive. While the services themselves encrypt the data that€™s stored there, it€™s accessible to anyone who knows or can figure out the password. This sort of problem is made worse with BYOD, both because users aren€™t thinking about security since they own the devices and second because there are significant impediments to maintaining security, including laws in some places that can keep you from wiping your company data from a personally owned device.

BT€™s Knesek said that the only thing that is likely to make companies realize the risk of not controlling the personally owned devices in their companies is a tragedy. €œOnly when bad things start happening will this change, such as if a young woman whose phone gives away her location is raped and killed as a result," she said. "It's a trade-off.€

Effectively, security managers in the BYOD and mobile world are faced with several challenges. One is to try to maintain the level of control they can. Another is to realize that they can€™t control everything, and to determine, as Knesek suggests, the level of risk they€™re willing to accept.

Finally, it€™s important to balance the benefits of mobile technology against the risks. If your company shows significant gains in productivity by mobilizing the workforce, then some risk may be worth it. Likewise, if you can incorporate reasonable protections, such as next-generation firewalls, to limit what employees can do while using the corporate network, this move may help prevent them from dumping corporate data into insecure places. But it might not.