co-authored by Dr. Stephen Bryen
Increasingly in the United States and around the world individuals use smartphones, and smart tablets, for personal and business communications. In the past, during the Blackberry era, business and government agencies tended to provide these devices to their employees. Mostly that has now changed and we have entered the era of Bring Your Own Device, or BYOD. Even in companies and agencies that may hand a device to an employee, there is a good chance that the employee will still have his or her own smartphone or tablet. And, on top of that, according to a new study, it is even more likely the employee will not be responsive to corporate appeals to follow security policies or procedures.
That study, commissioned by Fortinet, a network security company, sampled 3,200 graduate level adults born between 1981 and 1992. Known as Generation Y, the study revealed that a surprising large number of Gen Y employees will not, and won't, follow corporate security guidelines when using their mobile devices. And a significant percentage of them, 14 percent, say that won't tell their management if their device is compromised.
What is important here is that it is a real struggle for enterprises, organizations and government agencies to harness and control the risks of prevalent BYOD.
Does it matter? In the opinion of most experts, it does matter because smartphones and tablets create opportunities for intruders and hackers to collect important information that can be used or harm the enterprise, compromise the organization, or wreak havoc with misused personal information including bank accounts, credit cards, health and family data and socially harmful relationships and opinions. Even though the word personal has taken on new meaning in the age of Facebook, Google, LinkedIn and other social media, there is still a lot people want to keep private. With leaky smartphones the problem becomes far worse than it already is. Consider for example, that a hacker can know your location. If you are far from home and you are single, or you are not there protecting it if you have a family, your home can be a target for bad people.
Not many companies or government agencies have what can be called serious corporate mobile device security policies. And even fewer have even a clue on how to enforce them. But the fact is that well designed security policies for mobile devices can help the company to protect important information and transactions, and the same policy can also help individuals protect themselves. Unfortunately there is very little evidence from either the bottom up, or the top down, in most organizations that they really grasp the significance and usefulness of good security policy for mobile devices.
If employees at the Gen Y level are assessed, as they are, of paying little or no attention to mobile device security, it is likewise true that very few senior managers think about the risks, or sometimes they just think they are immune to them and can do whatever they want. This is true at the very senior levels of government and corporate enterprise, and security managers and auditors are keenly aware of the problem --they just don't have a solution.
Recent events are starting to arouse some rethinking at the senior levels of organizations. The Snowden leaks about government spying, and the British phone hacking scandal that is now playing out in the British courts, is causing a stir. One immediate consequence: the British Cabinet has banned iPads and tablets from Cabinet meetings!
The real solution, though, comes from frank recognition of the risks and a coherent approach that provides practical solutions.
At the "C" level --that is, top management-- government and corporate leaders need to put in place really effective security measures that protect them from spying. In fact, to be a corporate leader you need to protect against Reputation Risk and exercise "Duty of Care." These twin concepts apply to mobile phone security. One thing for them to do is to make sure that there sensitive communications are safe, and that there is no pathway into the core transactions of their organizations. Today's mobile phones are a gateway to the most important corporate secrets, and therefore either the phones have to be isolated from those networks, or the networks and the phones have to be made safer.
At the BYOD level, Gen Y and all the in-between generations, better education is important and solutions that are easy to implement and don't destroy the functionality of the smart phone. If you are going to tell your staff they can't put the latest social APP on their phone, they won't listen. If you give them a tool that protects them and the phone from malware or spyware, they won't resist. At Ziklag Systems, for example, we have developed an automatic solution that provides protection in the workplace. If a BYOD'er wants to also use the APP for personal protection BMG (Be My Guest).
With corporate leadership and better security products in future, the threat can be reduced, but a lot of work has to take place from the top down and the bottom up.