Mobile devices often contain both personal and corporate data. When these devices use cloud services with an "always on" internet connection the risk of security breaches increases says Jeff Crume, IT security architect at IBM. He talked about securing mobile devices at the OOP 2015 conference in Munich, Germany.
InfoQ interviewed Crume about mobile security threats, increasing adherence to security policies, how teams can use mobile devices to collaborate efficiently and effectively while still ensuring security and deploying enterprise mobile security.
InfoQ: Can you give an overview of the mobile security threat landscape? Which threats do you consider to be the most important?
Crume: Mobile security is a topic that is of increasing importance on both a personal and professional level. Mobile devices go with us everywhere we go, and contain all types of information ranging from sensitive corporate data to personal communications and financial information.
As such, we end up carrying our digital lives with us in our pockets and purses, and often do far less to protect our mobile devices than we would their larger IT counterparts such as laptops and servers. In fact, only 45 percent of companies who lead the pack in traditional security initiatives have an effective mobile device management strategy, according to IBM’s third annual Chief Information Security Officer study.
The bad guys know this, and they are taking advantage of the lack of security controls with increasing frequency. For instance, malware can spread through compromised apps downloaded for entertainment purposes (think games, social media and the like), and steal company secrets or provide enough information for someone to conduct identity fraud. The fact that these devices are so small and portable is why we love them, but it's also why they can be so easily lost or stolen.
InfoQ: You mentioned that we shouldn't look for some technology to have all security risks go away. Can you explain this?
Crume: There are a number of security technologies that can help limit the risk of attack. Unfortunately, none of these can eliminate all risk, and they never will. Any operational system can potentially be breached and mobile devices are no different in this regard.
However, this doesn't mean we shouldn't use them, just as it doesn't mean we shouldn't unplug all of our computers and give up. We have to be smart -- even smarter than the bad guys -- and understand what the risks are and what we can do to mitigate them. There is a great deal that can be done, so there is every reason to move forward, but we should do so cautiously and with our eyes wide open to the threats.
According to the security study mentioned earlier, more than 80 percent of security leaders believe the challenge posed by external threats is on the rise. The good news though, is that 90 percent of these same leaders strongly agree they have significant influence in their organization, and 76 percent of them agree that their degree of influence over the past three years has significantly increased – making now more than ever the time to bring security technologies to the forefront of business decisions.
InfoQ: What can organizations do to have employees adhere more to their security policies?
Crume: I'm a big believer in education. Human error is actually responsible for 95% of security incidents according to the security study, so an educated end user population is often our best defense. Education involves more than just having users memorize a bunch of rules, though. It means teaching security principles so that when new and unanticipated threats arise, our people are able to recognize that something is not quite right, and respond defensively to limit the damage. The second part of the equation is that we can use mobile device management and secure containerization tools to enforce security policies, limiting the impact of a threat to one app, instead of possibly impacting others.
InfoQ: The ways that employees collaborate and communicate are changing, e.g. with distributed teams and remote working, collaboration tools, agile teams, etc. How does this impact mobile security?
Crume: I think this only increases the importance of mobile devices as an essential component of successful organizations and, therefore, increases the importance of getting security right on those devices. The more we come to rely on mobile platforms, the more likely we will be to store sensitive information on them, and the more critical it will be to protect that information.
InfoQ: What can be done to make it possible for teams to use mobile devices to collaborate efficiently and effectively, while still ensuring security?
Crume: Clearly, the best security is that which protects what is valuable, without getting in the way of productivity and usability. Unfortunately, too many times security professionals have, in the interest of improving security, ignored the human element and not realized that making security too hard for end users effectively ensures that it won't get done.
We always need to remember that at the other end of that mobile device is a person -- not a machine. That means that security measures need to be as unobtrusive and natural as possible. Sometimes this isn't possible, but it should always be the goal.
InfoQ: Any final advice that you want to give to organizations that want to setup and deploy enterprise mobile security?
Crume: Too many times security professionals can become overwhelmed by the wide range of threats that exist in emerging technologies like mobile and, in an attempt to maintain control, become heavy-handed with security measures.
In some cases, they try to ban the use of mobile devices, but real world scenarios teach us that draconian approaches are destined to fail over the long-term, because they just drive the behaviors below radar. The key is for organizations to not say "no" but say "how" instead. This way they remain relevant, and can lend their expertise to a user base that desperately needs it and can enable innovation instead of stifling it.