When BYOD was coming to fruition a few years ago, it had a sudden and deep impact on IT risk. Why? Many CISOs I spoke with at the time said it was purely a matter of scale. All of a sudden, large enterprises had thousands of additional devices on their networks and they struggled to figure out what these devices were doing and how these activities impacted organizational risk.
ESG recently published a new research report titled, The State of Mobile Computing Security, that looks at mobile computing security holistically across devices, applications, data, and IT security operations. Based upon this research, it appears to me that security issues around mobile computing have been way overstated. The ESG research indicates that mobile computing risk is really associated with:
1. Basic IT operations blocking and tackling. Enterprise organizations realize that it is risky to let unknown and unmanaged devices frolic around their networks at will. To mitigate this risk, many organizations have created cross-functional mobile computing tiger teams within IT, but the ESG research indicates that these groups are dominated by the IT operations team. In fact, 39% of enterprises say that IT operations is responsible for mobile computing security as compared to 26% of organizations claiming that the IT security group is responsible for mobile computing security. Why does IT operations participate more than the security team? Because the primary security tasks are IT operations-centric such as onboarding users, configuring devices, creating/enforcing network access policies, etc. Little wonder then why MDM and vendors like Citrix (Zenprise), Good Technology, IBM (Fiberlink), MobileIron, and VMware (AirWatch) dominate the mobile security headlines.
2. Data security. When asked to identify mobile computing security challenges, 43% of security professionals point to "protecting data confidentiality and integrity when sensitive data is accessed by a mobile device over the network," while 41% say, "protecting data confidentiality and integrity when sensitive data is stored on a mobile device." These results shouldn't be a surprise, we've been struggling with discovering, classifying, and protecting sensitive data since companies decided to process departmental data on Digital VAX systems rather than putting all of their MIS eggs in the IBM mainframe basket. Of course mobile computing exacerbates this risk but mitigation comes down to user training, acceptable use policies, security controls, and strong monitoring. Nothing new here.
3. Mobile application development. ESG research reveals that 42% of enterprise organizations are developing a "significant amount" of mobile applications while another 38% are developing a "modest amount" of mobile applications. These mobile apps vary - 45% of organizations are developing hybrid applications, 41% are building native iOS apps, and 39% are coding with HTML 5.0. The scary thing here is that less than half of organizations are currently including best practices for secure application development. For example, 47% of organizations say they perform static application software testing as part of mobile application development, 47% claim they train their mobile application developers on secure application development best practices, and 47% perform dynamic application testing as part of mobile application development. Pardon the pun but given this situation, insecure mobile applications may become a Trojan horse for future security problems. CISOs must identify this vulnerability but it is up to the applications development team to mitigate the risk.
4. Third-party applications. No surprise here - Angry Birds, Dropbox, and Facebook represent a threat vector for malicious code and data exfiltration. Little wonder then that 40% of enterprise have implemented security controls (i.e. Web controls from Blue Coat, ProofPoint, Trend Micro, etc., NGFW from Check Point, Cisco, Fortinet, Juniper, McAfee, Palo Alto, etc., application controls from Bit9, Symantec, Viewfinity, etc.) to detect and/or block this behavior.
Yes, security professionals are concerned about mobile malware - in fact 80% believe that mobile malware threats will become "significantly" or "somewhat" more dangerous in the next few years. Security professionals' fear is certainly supported by the fact that Android malware is growing in the triple digits as many researchers claim. That said, this malware seems to be consumer-focused and centered in Asia today, so it doesn't represent an enterprise threat in its current iteration.
IT risks associated with mobile computing will certainly evolve over time and CISOs should remain engaged and diligent. Nevertheless, the ESG data indicates that mitigating mobile computing risk comes down to sound policies, layered security controls, continuous monitoring, and user/IT training. As security professionals, we've seen this movie a thousand times before. CISOs know how to manage this risk but they will need help from others to do so effectively.