Mobile Devices Trump Security
The battle between convenience/sexiness and security marches on. It probably won’t be hard to pick the winner. I’m not the first person to note that the consumer market is driven by convenience and by the rather hard to define ‘x-factor’ of ‘sexiness’. Few products in recent IT history have brought together convenience and sexiness in one package more than the smartphone and other mobile devices. In a recent trip to NYC, the Big Apple, the City that Never Sleeps, the single store that had the greatest excitement—and it wasn’t even close—was the Apple store near Soho, and the overwhelming majority of that buzz could be heard by the mobile devices.
The statistics around mobile devices are jaw-dropping, perhaps none more so than this: About 42% of all venture capital is going into mobile (www.mobithinking.com). Why? Because of the second jaw-dropping statistic: 87% of the world’s population are mobile subscribers.
The devotion if not the fervor of users to their devices is so strong that business feel they simply must ‘succumb’ to the passions of their employees. This is probably true and actually reminds me a bit of one spouse saying to another: It’s me or the dog. ‘Let me use my iPad or I quit.’ But there are some very serious considerations here.
First, I for one am not entirely convinced that mobile devices increase productivity. The most downloaded apps are games, and some of the key selling features of mobile phones are the ease with which they work with Facebook and other social media.
Second, in my experience almost no one thinks seriously about security. Mobile apps have been downloaded about 11 billion times, and I’m pretty confident that a rigorous security analysis has not been performed on all of these apps. The Juniper Global Threat Center noted more than a 400% increase in Android malware in just a few months in 2010.
What does all this mean? Without being overly fatalistic, it probably means that your company is going to lose data, perhaps very valuable data. The old security paradigm was one which regarded first-class barriers as synonymous with strong defense. It is becoming more and more apparent that the only way to think about security now is to think that the bad guys are already within. Advanced Persistent Threats typify this: they can be injected into systems and stay there, doing their dirty work, for months if not years. The bad guy, like a dormant biological (and not IT) virus, gets in and hides and waits. Your firewall is useless.
Similarly, businesses may want to stop thinking entirely about how to secure devices and simply assume that at some point, data—perhaps crucial data—will be lost. They should start their security and contingency planning from there.
Of course, there are steps that businesses can take to defend themselves. They can permit only ‘secure’ operating systems; they can more rigorously define data access; they can compartmentalize and encrypt corporate data; they can run malware detection often. Etcetera. We recommend all these steps, and each of them will help.
But, in the battle between the mobile device and security, the mobile device is going to win. Businesses must implement Best Security Practices, but they should also, quite literally, prepare for the worst.