Common Mobile Security Mistakes |
In study after study, IT professionals cite security and data privacy concerns as the top inhibitor to mobility adoption. With tremendous pressure from users (with the C-suite being amongst the most ardent) and business leaders to enhance mobile programs, support more devices and applications and provide mobile access to corporate systems, a knee-jerk reaction to “securing mobile” may be tempting.
That said, it is the knee-jerk reactions we have seen lead to a few common mistakes when it comes to mobile security:
- IT as the last line of defense – Resistance is futile. No, really. Mobility is here – it provides enterprises with different opportunities to operate more effectively, create a tighter relationship with the customer, open new channels, expand integration and partner networks, etc. Resisting adoption of mobility because it will introduce threats or operational challenges into the corporate environment is ultimately a short term play and will likely alienate the business. We too are quick to recognize the threats associated with mobility – but this needs to be a conversation about enablement, not resistance.
- Rushing out and buying a tool – Mobile Device Management (MDM) vendors (there are a lot of them) will tell you they have the solution to your needs. The reality is that they might – however, unless you have done your homework to understand your specific mobility use cases, how do you know? A lot of companies are piloting solutions, far fewer are convinced they have the right solution.
- Cracking down – Cranking up the security on mobile devices and locking them down as much as possible does two things:
- it creates a lot of secure devices and frustrated users (who by the way have these devices at home with no restrictions and know how much better the user experience is), and
- inhibits adoption of corporate provided/supported solutions. It is important to note that this does not inhibit USE of devices, just the official corporate provided sort – in one case a serious device lock down lead to a 20% decline in participation in the corporate program. We doubt users gave away their devices however. The key here is balance…
- It’s “all good” – On the opposite end of the spectrum, we see companies allowing mobile devices in their environment unofficially or semi-officially (typically in the form of a weakly defined ‘bring your own device’ program). However, they dodge the security and operational issues by officially not supporting mobile in a significant way. This ‘feel good’ approach goes over well with users, but may expose the company to less than tolerable levels of risk. Did I mention balance?
The last common ‘mistake’ is less an error and more of a symptom – paralysis.
The solution to paralysis and the means to avoid the mistakes outlined above is at least conceptually straight forward:
- Identify and prioritize your key business driven mobility use cases (who, how, which systems, what data, etc.)
- Once your mobility use cases have been defined and prioritized, conduct a risk analysis to identify the key threats for each use case
- Once the threats are understood, identify the controls that can be implemented to address those threats (hint: look at the entire ecosystem, not just the mobile device)
- Based on the threats and controls, define your security requirements and desired solution architecture
- Go forth and conquer!
 |
Kieran Norton Principal Security & Privacy Deloitte & Touche LLP |
