By Dave Hannon
We are in the midst of one of the most exciting technological revolutions in the history of business and the excitement has many of us taking our eyes off the security ball. The enterprise mobility wave is literally changing business before our eyes, but it also brings about some of the most widespread security risk we may ever see.
I know you are rolling your eyes right now because you have a solid mobile security policy in place. You personally reviewed it and ensured all of the back-end technical issues mapped up. You signed off on it. It is a solid plan, covering all the bases.
But unless every employee using a mobile device in your enterprise knows about the plan, it is not worth that paper it was written on.
It’s true. Many IT organizations have developed effective mobile security plans, but their far-flung sales, service, and other employees are not even aware of it. A recent study by McAfee and Carnegie Mellon University points out that 95% of organizations have security policies in place for mobile devices (GOOD), but 27% of employees are unaware of their company’s mobile security policy (BAD). “Fewer than half of companies report that all of their employees understand their mobile device access/permissions,” the report says. (VERY BAD).
And those far-flung mobile users, geographically speaking, are the most vulnerable to mobile security attacks. According to a study by NetQin Mobile, a whopping 53 million Android users were infected with mobile viruses or malware in the first quarter of 2011. And 64% of those attacks occurred in China, due to the easy availability of "white box" phones (open phones that are not tied to particular carriers) and “a general lack of mobile security awareness among mobile phone users.” (This recent study by Juniper Networks provides a good description of some of the top mobile threats such as malware in downloaded apps, Wi-Fi attacks, and device loss and theft.)
But even those users that ARE aware of the policy may not be abiding by it because they feel it is too restrictive for them to do their job. The McAfee/Carnegie Melon study found that more than half of those aware of their company’s policies view them as stringent or very stringent. Even 20% of IT departments characterized their own policies as severely restricting. In other words, most users do not understand just how important this issue is.
So, beyond all the technical work your IT organization is doing to ensure a secure mobile strategy, you MUST have a mobile security leader or evangelist to adequately articulate and evangelize the company’s security policy. Users in all business units, roles, and geographies must understand what they need to comply with and how important it is.
Who is the best person for this job? Well it might not be someone from the IT organization, simply because the skills required are less technical and more marketing-focused. Your mobile security evangelist must know how to leverage tools like the company intranet and in-person presentations to spr
ead the word. They must be able to secure user buy-in through benefits demonstration and articulation of specific risk and not through the use of corporate mandates or threat of punishment for non-compliance.
If no one in your IT organization fits this description, find someone that does. Fast. Internally, externally, full-time, contractor, whatever. Because no matter what business you are in, mobile is a rapidly emerging opportunity and one major security lapse can take the wind out of the sails of your mobile users, developers, or even investors very quickly.
As always, if you have experience or suggestions in this area, I welcome them. Feel free to post a comment here with your own experience to share.