BYOD Security a Concern as Enterprises Welcome Mobile Devices

In the first two parts of our report on the "2012 State of Mobile Security" survey by InformationWeek Reports, we looked at how bring-your-own-device (BYOD) policies are leaving companies vulnerable, and how CIOs can bolster mobile security. In Part 3, we explore BYOD security concerns.

First, it was the veritable explosion in mobile computing. That led, rather naturally, to the proliferation of BYOD policies. So it probably doesn't come as a shock that mobile networks are now subject to the same cybersecurity risks as traditional wired networks.

What may come as a surprise, however? Some organizations are still "burying their heads in the sand," instead of taking proactive measures to deal with these escalating BYOD security threats, according to Michael Finneran, principal at dBrn Associates in Hewlett Neck, N.Y., and author of the recently published "2012 State of Mobile Security" survey by InformationWeek Reports.

That's despite the fact that 86% of the 322 respondents permit the use of personally owned devices now or will soon. And though 84% of respondents also identify lost or stolen devices as a key mobile security concern, it'll likely take a highly publicized security incident tied to a poorly protected mobile device for IT to get the requisite management support and budget to address these issues adequately, the report states.

"Even in regulated industries, unless there is a front-page Wall Street Journal story about some event based on a smartphone or tablet that was inadequately protected and significant amounts of sensitive information was released resulting in a regulatory fine, everyone seems to be taking the approach that 'it probably can't happen,'" says Finneran.

Doug Miller, general manager of mobile solutions at Redwood City, Calif.-based vendor Nominum, agrees that the issue of BYOD security doesn't seem to have taken root. Nominum provides services for mobile providers, including Verizon, Deutsche Telekom and Telstra.

"Service providers aren't seeing this [mobile security] as a growth market for them yet," he says. "They're hearing about it, and we're being asked about what our solutions are for BYOD plans ... but I'm hearing more about it from the media than I am from service providers right now. It's a legitimate problem that service providers can solve."

To that end, Nominum recently announced its Mobile Network and User Security Solution. While geared toward mobile service providers, the product offers protection from bots, viruses and phishing attacks on consumer devices, while securing network elements and DNS data.

The security of the mobile network can be an issue, Finneran agrees. "The big picture is the number of potential threat vectors we're faced with. The most obvious is the threat of a lost or stolen device that isn't password-protected. But there are literally dozens of others, [including] information transmitted over-the-air to the persistence of mobile malware," he says.

Next: Tap a Chief Mobility Officer to Oversee BYOD SecurityThe potential legal implications involved with BYOD security breaches can add up to a quagmire for enterprises: Should organizations require employees to encrypt data on their mobile devices? Many don't. When asked why, 29% cited a lack of management sponsorship/organizational initiative.

"It's a running joke in the security business that, 'We really hope the bomb goes off, but that it doesn't have our name on it,'" Finneran explained.

Another potential legal sticking point: While an organization would immediately wipe a lost company-owned device, what happens if an employee's device is lost, stolen or compromised?

"It varies by country: In some countries, it's against the law to wipe the data from an employee's device," Finneran says. "The U.S. isn't one of those, but the bottom line is there really isn't a lot of case law on the books at this point dealing with perplexing issues around mobility. It's a work in progress."

Which is why it's high time for enterprises to get the legal department actively involved and to appoint a chief mobility officer.

"For the time being, the legal side of things is the big unanswered question," Finneran explains. "So have employees sign a consent form before you put them on the BYOD program. Whether or not that will be sufficient in a court case five years down the line is unknown. It's time for organizations to take this seriously. Appoint a mobility czar to be the go-to person on all mobile initiatives, whether it's mobile apps, networks, devices, security; there should be one person in charge, and they should be responsible for anything involving wireless."

With said mobility czar in place, Finneran recommends forging a mobility strategy team that should include representatives from security, IT, application development, human resources and legal.

"Develop a mobility plan. The policy is just when you write down the roles, rules and responsibilities," he adds. "Think through the entire process, cradle to grave, and at the end of it you'll have a list of devices, the tools you're going to need, and required procedures. Revisit this plan every six months, because we're learning."