Mobile Security: Shedding Light On A Topic Usually Shrouded In Dark
The ever-increasing move by users to use their own mobile devices and their own applications in the workplace is bringing on security issues so significant that businesses often don't even recognize them.
That's the message from Jack Gold, principal analyst at J. Gold Associates, a Northborough, Mass.-based consulting firm, who told attendees at this week's XChange Solution Provider conference that issues related to mobile security will only grow over time.
"Everyone talks about mobile security," he said. "But it's not secure. A lot of companies don't know what they don't know."
[Related: Mobile Device Management Vendors Tackling BYOD Challenges With Beefed-Up Security]
While businesses that look at issues related to mobile security focus on the BYOD (bring your own device) trend among their users, they need to focus even more on the BYOA, or bring your own application, side, Gold said.
"Can these apps be trusted?" he said. "You don't know. Especially if you go into an app store with thousands of apps."
The main problem is the difference in priorities between IT departments, which focus on security and policies, and users, who focus on convenience, Gold said.
"The problem is, in a lot of organizations, IT tends to be dictatorial," he said. "End users always find a way to do what they want to do."
Gold said there are three pillars that must be in place for true mobile security, including the security itself, policies built around security requirements, and user acceptance of the policies, and that missing any one of them, especially user acceptance, will doom security measures, Gold said.
Success comes from balancing the risks of loose security with the rewards users receive from being able to choose their own devices and applications, he said. This leads to a security gap where more control by the IT department leads to more security while more user choice leads to less security.
"Most companies do a really poor job -- and I'm being kind -- of managing and even understanding this gap," he said. "And that means opportunity for [the channel]."
Getting user acceptance is a huge hurdle, said Chris Johnson, medical IT consultant at Untangled Solutions, a Santa Monica, Calif.-based solution provider with a primary focus on customers in the medical industry.
Johnson said that in presentations to customers he likes to draw a sliding scale ranging from no security on one end to crazy, all-out security on the other.
"In the middle is the user," he said. "As the slider moves toward more complicated security, users will more likely go off and do their own thing. So the security risk is actually increased."
NEXT: Seven Critical Steps To Mobile Security
Gold said there are seven critical steps to successful mobile security.
The first is to have a proactive, not a reactive, strategy. "You don't want to build a strategy after an attack," he said.
The second is to know what users will do with mobile devices. Gold illustrated the point that a company's CEO treats mobile devices differently than others in the company by citing the case of a customer whose CEO has lost three iPads. When asked what data was on those three iPads, Gold said he was told that the CEO didn't know for sure.
The third is to realize that security requirements vary from device to device, and that while installing anti-virus and anti-malware software might work for a PC, it does not work for other types of mobile devices.
The fourth is to have a mobile device management strategy that accounts not just for the devices, but also for the applications and data. Losing a device might cost a company $200 to replace, Gold said. "You can always wipe the device," he said. "But it's the data that's critical."
The fifth step is to stay flexible and manage diversity, as the devices used constantly change, Gold said. "If you think BYOD is challenging, just wait to see what else is coming," he said.
The sixth is to understand the return on investment and the total cost of ownership related to mobile security.
The seventh is to ensure security is supported properly, Gold said.
Mobile security offers a variety of opportunities to solution providers, Gold said.
These include offering services and support as most businesses do not have the right people or resources to handle it themselves, providing analytics to help educate customers about security risks and threats, and offering cloud-based security as a service, he said.
Untangled Solutions' Johnson said Gold did a good job of making the point that solution providers need to move quickly to deploy mobile security.
"We need to peel back the onion layers of security to help customers understand the need for mobile security solutions," he said.
PUBLISHED MARCH 4, 2014