By now, you are likely wondering why Im talking about game theory when discussing mobile security. The reason came when I chaired a panel at the NetEvents Americas Press Summit on the topic, and realized that the very best a network security manager can do is keep the bad guys at bay. Whats worse is that its a battle that you certainly cant win, and that the best you can do, if youre really lucky, is break even.
To say that the odds are stacked against you is an understatement. One of the panelists, former FBI Special Agent Jill Knesek, who is now head of Global Security with BT Global Services, said that her company performed an analysis of Android apps from Google Play and found evidence of active or dormant malware in about a third of all Android apps.
Adding to the difficulty of maintaining security in the enterprise is the ease of breaking security rules without realizing it. A good example is cloud storage such as Google Drive or Microsoft Skydrive. While the services themselves encrypt the data thats stored there, its accessible to anyone who knows or can figure out the password. This sort of problem is made worse with BYOD, both because users arent thinking about security since they own the devices and second because there are significant impediments to maintaining security, including laws in some places that can keep you from wiping your company data from a personally owned device.
BTs Knesek said that the only thing that is likely to make companies realize the risk of not controlling the personally owned devices in their companies is a tragedy. Only when bad things start happening will this change, such as if a young woman whose phone gives away her location is raped and killed as a result,” she said. “It’s a trade-off.
Effectively, security managers in the BYOD and mobile world are faced with several challenges. One is to try to maintain the level of control they can. Another is to realize that they cant control everything, and to determine, as Knesek suggests, the level of risk theyre willing to accept.
Finally, its important to balance the benefits of mobile technology against the risks. If your company shows significant gains in productivity by mobilizing the workforce, then some risk may be worth it. Likewise, if you can incorporate reasonable protections, such as next-generation firewalls, to limit what employees can do while using the corporate network, this move may help prevent them from dumping corporate data into insecure places. But it might not.
Dumb Users, Regulators Are Part of the Problem
In addition to the legions of bad guys who are trying to steal your corporate data, mobile security managers are saddled with an even bigger problem: dumb users. Despite everything you may try to accomplish by managing data loss exposure, by limiting the apps users can use while connected to the corporate network and by controlling what they download and upload, youre still at the mercy of the employee who loads corporate data on to their mobile device and then takes it home. While you can limit this to some extent through training and through security awareness, there are some things that you can do nothing about.
In some places, regulators limit what security managers can do or what devices can be sold in their countries. Jose Otero, president of the Uruguay-based Signals Telecom Consulting said that stupid users are only part of the problem. We have stupid regulators, as well, who don’t understand security, malware, or BYOD [bring your own device].
Adding to the problem are mobile device manufacturers, such as Apple, that prevent full management of their devices. Apple iPhones and iPads always allow the user to have control over their devices, and iOS doesnt provide the full management capability that some other mobile devices allow.
So what can you do? Knesek said that, at BT, the executives solve the problem of security by carrying two devicesone thats owned and controlled by the company, and the other thats personal. This means that all company data is on the company-owned device, and the personal device is used only for personal data. She pointed out that this has one distinct advantage: The executive can turn off the company device and not be bothered by work.
Another answer, obviously, is to use a device thats secure in the first place. Its probably significant that when I polled my panel while we discussed our presentations over coffee and bagels at the Loews Hotel in the South Beach area of Miami, I found that four of the five panelists used BlackBerry devices. One used an iPhone. None of the security experts depended on an Android device for communications. The iPhone user (we wont say who it was) expressed embarrassment.
But in reality, choosing the right platform is only part of the problem. The bigger problem is using the device appropriately, and thats where the zero-sum game comes in.
Editor’s Note: This story was updated to correct the spelling of Jill Kneseks name.