In the seventh season of the hit TV series The Office, Michael Scott unveils his movie called "Threat Level Midnight." In the movie, agent Michael Scarn is brought out of retirement by the President to protect the NHL All-Star Game from being blown up by the evil Goldenface. To accomplish this, Agent Scarn must go through some difficult tasks. such as learning to skate and play hockey as well as recover from a gunshot wound. Scarn, of course, does this because the Threat Level to the All-Star Game is fast approaching midnight.
Businesses today are approaching their own "Threat Level Midnight," but this threat doesn't come from a single, evil super villain. Rather, it comes primarily from the internal employees in an organization and their habits when using their personal mobile devices.
This week, Aruba Networks released a report called "Securing #Genmobile: Is Your Business Running the Risk?" that looks at the risk created by the "bring your own device" (BYOD) wave. BYOD has been all the rage over the past five years. The 2014 ZK Research Enterprise Mobility Survey found that 82% of organizations now support the use of consumer devices in the workplace (disclosure: I work for ZK Research). Businesses obviously need to do this to remain competitive, but it's obvious from this report that most do not fully understand the risks and threats associated with BYOD.
Aruba's report is full of good information, but there were a few data points that I thought were worth calling out.
- 60% of workers admit sharing their work and personal devices regularly. Also, nearly 20% of employees admit to not having passwords on the device, and a fifth of those respondents claimed to have no security measures in place all the time. If Dwight Schrute were CIO, he might ask "Question: Is it safe to share mobile devices?" to which Kelly's attempt at a response would only by be cut off by Dwight's answer: "False: It is never OK to share a device with work information on it." However, despite Dwight's protests, this appears to be the norm.
- Security is an after- or non-existent thought. When it comes to device preference, security ranks fifth on the list behind brand, operating system, and other factors. If security were higher, then BlackBerry would likely be in a much stronger position. Why the indifference towards security? Well, 87% of employees assume that IT can keep them protected, even when on a personal mobile device. The mismatch between IT's responsibilities and employees' responsibilities is huge right now, indicating that better education is badly needed.
- We live in a "me-first" world today. Clearly, workers today feel far more empowered than they ever did. A couple of decades ago, there were far more Dwight-type employees who took corporate policies seriously than Michael Scotts who tend to use them as guidelines. Workers not only bring devices in the workplace, but also use their own applications and cloud services. Fifty-six percent of workers in the study said they would willingly disobey a boss to get things done. Almost half of workers say that mobile makes them more productive, and 77% are willing to move to a self-service IT model. All of this comes down to a more entitled, technically savvy worker that doesn't want policies to hold them back.
So what's a business or IT leader to do? Hire Michael Scarn to come eliminate the threat? Scarn may be a good hockey player, but he's no expert in IT issues. Protecting the business today means shifting the security and control points into the networks. I'm not saying ditch endpoint security or the MDM products, but ensure that they work with the network to provide multiple layers of security.
I also believe that better policies are required with respect to BYOD. In the ZK Research survey I mentioned earlier, over 20% of businesses admit to not having any kind of written policy regarding BYOD. The majority of respondents claim to have the policy "in process," with only about 15% having any kind of well-understood policy that has been disseminated to the employees.
One of the challenges highlighted in the Aruba study is that workers actively disobey policies. However, organizations can implement device checks and quarantine endpoints that are not in compliance. This can help with issues that the worker doesn't know about. The other part of policy enforcement is having the support of the C-level to discipline workers who break policy. I know from my IT days, this is easier said than done, as key employees tend to get a pass on many policies. I'm actually OK with that, but businesses should implement policies and enforce them with the rank-and-file, and manage the exceptions on a case-by-case basis.
For years now, businesses have been focusing mobile security on the apps, devices, and the network. That's all well and good, but it's now time to focus on educating and training the workers to avoid a Mobile Threat Level Midnight.