By now, you are likely wondering why Im talking about game theory when discussing mobile security. The reason came when I chaired a panel at the NetEvents Americas Press Summit on the topic, and realized that the very best a network security manager can do is keep the bad guys at bay. Whats worse is that its a battle that you certainly cant win, and that the best you can do, if youre really lucky, is break even.
To say that the odds are stacked against you is an understatement. One of the panelists, former FBI Special Agent Jill Knesek, who is now head of Global Security with BT Global Services, said that her company performed an analysis of Android apps from Google Play and found evidence of active or dormant malware in about a third of all Android apps.
Adding to the difficulty of maintaining security in the enterprise is the ease of breaking security rules without realizing it. A good example is cloud storage such as Google Drive or Microsoft Skydrive. While the services themselves encrypt the data thats stored there, its accessible to anyone who knows or can figure out the password. This sort of problem is made worse with BYOD, both because users arent thinking about security since they own the devices and second because there are significant impediments to maintaining security, including laws in some places that can keep you from wiping your company data from a personally owned device.
BTs Knesek said that the only thing that is likely to make companies realize the risk of not controlling the personally owned devices in their companies is a tragedy. Only when bad things start happening will this change, such as if a young woman whose phone gives away her location is raped and killed as a result," she said. "It's a trade-off.
Further reading
Effectively, security managers in the BYOD and mobile world are faced with several challenges. One is to try to maintain the level of control they can. Another is to realize that they cant control everything, and to determine, as Knesek suggests, the level of risk theyre willing to accept.
Finally, its important to balance the benefits of mobile technology against the risks. If your company shows significant gains in productivity by mobilizing the workforce, then some risk may be worth it. Likewise, if you can incorporate reasonable protections, such as next-generation firewalls, to limit what employees can do while using the corporate network, this move may help prevent them from dumping corporate data into insecure places. But it might not.
Research Assistant
