Fighting against the evil that lies within mobile phones

Opinion Davey Winder Nov 19, 2012

BYOD and cloud aren't always happy bedfellows; it's time to make sure an enterprise is up to speed - guarding against the evils, of course

The sale of mobile phones may be in decline, down 3.1 percent globally according to the latest Gartner figures, but smartphone sales have jumped up by 46.9 percent in the same period.

There's a link to other newly published research, from ISACA, which suggests most  users, some 59 percent in fact, think the Bring Your Own Device risk to the enterprise outweighs the potential benefits. That same research also reveals that there has been a 22 point percentage drop in the number of enterprises which actually prohibit BYOD usage, which might account for why an estimated 23 percent of employees in the UK now use their own devices for work-related purposes.

The Cloud Security Alliance has also been busy on the report publishing front with version 1.0 of Security Guidance for Critical Areas of Mobile Computing seeing the light of day this month. The timing couldn't be better, and I hope that those enterprises who have been blocking BYOD (about 44 percent, down from 66 percent) have been reading it. Not just the bit by CSA Mobile Working Group co-chair David Lingenfelter where he points out that BYOD comes with a cost in terms of "ensuring that established security protocols are consistently and correctly applied" but perhaps more importantly those parts where specific guidance is given to help mitigate the mobile computing security risk from a cloud-centric vantage point.

Companies that don’t protect themselves through policies place themselves at great financial risk

As always, understanding what the risks are is the vital first step towards defending against them.

The CSA refers to these risks as the 'evil eight' in terms of the primary mobile security enterprise risks:
1. Data loss from lost, stolen or decommissioned devices
2. Information-stealing mobile malware
3. Data loss and data leakage through poorly written third-party applications
4. Vulnerabilities within devices, OS, design and third-party applications
5. Unsecured Wi-Fi, network access and rogue access points
6. Unsecured or rogue marketplaces
7. Insufficient management tools, capabilities and access to APIs 
8. NFC and proximity-based hacking

Cesare Garlati, the other co-chair of the CSA Mobile Working Group, states the obvious when he says "companies that don’t protect themselves through policies place themselves at great financial risk” but sometimes the obvious needs to be stated, again and again, before it finally sinks in deep enough to reach a point where sensible action is taken.

When you look back at the ISACA '2012 IT Risk/Reward Barometer' findings, none of the above should really come as any great surprise after all. It simply confirms that many of the unsafe actions that consumers admitted to in the workplace were also the ones that ISACA members felt posed the greatest risks: storing work passwords on mobiles devices and using cloud-based file sharing services being the top two.

I'd recommend you go read the CSA guidance document PDF yourself as a starting point as far as getting that 'sensible action' moving forward. To embrace BYOD, within a cloud-centric enterprise environment but without also embracing a suitably comprehensive security policy is, frankly, the equivalent of leaving your data in a box on the pavement with a large sign above it reading "please help yourself". I fully appreciate that it's easier said than done, especially when considering security policy for both mobile and cloud concerns, but it sure ain't impossible. Make your new year resolution to get a collaborative hybrid cloud/mobile policy up and running as soon as possible.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.