Some consider mobile security to be an oxymoron. What do you think?
If employees were prohibited from accessing corporate data, there would be no security issues, but there also would be no productivity. Mobility allows employees to be more productive, since they have access to corporate data at all times, no matter where they are. The side effect of always-on access is the potential for always-on leakage of corporate data.
One key challenge for a security solution is to protect corporate data while allowing employees to be productive anywhere they go. Since employees often use the same mobile device for both work and life, a second challenge for a security solution is to protect corporate data without invading the user’s privacy. Users reject security solutions that invade privacy as soon as alternatives become available, e.g. users rejected the Blackberry when the iPhone came along.
BYOD and the mobile workforce are not going away. This means there has to be a way to balance the security needs of IT with the mobility and privacy needs of. Mobile security is certainly challenging, but not impossible, and it is an area that must grow and innovate as the modern workforce becomes increasingly mobile.
Based on the analysis of your client's devices, what are the most common security pitfalls?
The most common security pitfall we see is allowing highly sensitive corporate data to flow to mobile devices in the first place. At the end of the day no security solution can prevent a rogue employee from taking a screenshot or other reproduction of sensitive data and sharing it on social media.
The challenge then is to minimize risks through a combination of technical and procedural controls. Procedural controls must revolve around end-user awareness and training. The more employees know about the security being deployed on their mobile devices the more comfortable they will be with respecting corporate security policies. Automated controls such as data leakage prevention technologies and access control engines ensure that corporate data is safe, even if employees accidentally or intentionally leak confidential information. And when the automated controls respect employee privacy, employees have no incentive to defeat those controls.
Procedural and automated controls can help mitigate the security vulnerabilities that are an inherent part of mobile data access.
How worried should organizations be when it comes to the security of their mobile devices? Do mobile devices require the same level of security as desktop computers?
I would advise clients that all mobile devices — be they smartphones, tablets or laptops — need to be treated as hostile devices. Contrary to popular perception, a laptop can be much more dangerous than a smartphone since it can carry a lot more data and it can also process and move that data much faster than a smartphone. I doubt that Snowden carried away loads of data from the NSA on his smartphone.
However, as we all know, mobile devices are by their very nature easy to lose or misplace. They can be left on the seat of a taxi, on a restaurant table or on a bench at the airport. This ease of misplacement makes them prime targets for a data breach. Many people do not take proper precautions to secure their mobile devices, such as ensuring all devices are password protected and that corporate data can be remotely wiped in the event of loss or theft.