Porting Apps to Mobile Devices: Pandemic Business Continuity or Scariest Security Risk Ever?!

Analysis
Aug 4, 20093 mins

The highly contagious Swine Flu (A/H1N1) has forced companies to consider porting internal apps to mobile devices to maintain revenue if employees cannot commute to work -- good idea or security nightmare?

For nearly a decade, cell phones have evolved from being a way of staying reachable to mobile data devices with daily functions (talk, email, text messages, and calendar). Blackberries and iPhones have evolved to be so widespread and GUI friendly, the onslaught of mobile specific applications have become an overnight success.

The porting of internal applications to mobile devices has gained increasing support from business continuity (BC) committees and executives. Primarily to maintain work flow (i.e. revenue streams) during a disaster recovery fiasco that would keep employees from traveling into work. Up until this year disaster recovery scenarios keeping employees at home were mostly hypothetical exercises required by contractual, regulatory or audit requirements. But when the highly contagious outbreak of Swine Flu (A/H1N1) spread throughout the globe, it gave disaster recovery committees the leverage it needed to transform internal apps onto highly mobile devices.

At the surface, this sounds like a positive step in the right direction. But take a step backwards and look at the whole picture…holy crap it’s a really really bad idea (nearly as bad of an idea as putting camera functionality in a cell phone!). Mobile devices are relatively secure when the proper precautions are taken into considerations – endpoint encryption, anti-virus, required logon password, automatically wipe the device after x failed logon attempts, maybe even design a thin client app, etc. But let’s face it…unless you’re a techie geek that prides himself on using ridiculously hard passwords, the typical end-user will be protecting all those corporate secrets using the password 1-2-3-4. Simply because it’s easy to remember and can be done quickly with one-hand, therefore, bypassing all that security!

As you can tell…experience has taught me NOT to rely so much on end users to do the secure thing, no matter how often I provide Security Awareness Trainings. And the security of a company is only as strong as it’s weakest link!

Another downfall is the frequency that cell phones are lost or stolen. Again…leading back to the easily guessed passwords that are commonly used ‘in the field’. It’s a common security understanding that if an adversary has physical control of the system/device, it’s simply a matter of time before they can access the content – internal app, housed sensitive information, corporate email, etc. This is especially dangerous for a healthcare or financial institution that must obey stringent breach notification laws when a mobile device is unaccounted for. Not to mention most remote users and executives use their email as more of a file server than a means of communication.

Seems like a counter-intuitive approach that will cause more harm than good. Of course, simply considering the amount of human errors when typing sensitive information into a small iPhone keyboard is a whole other issue! A doctor entering a slight typo in your SSN or amount of medication could be a fatal mistake!