Go to any security event these days and you will find any number of information security managers, vendors or company directors all nodding in agreement that mobile devices and bring your own device (BYOD) are one of the current big security threats. But at all the events I’ve been to recently not one person has been able to quantify what the actual risk is. Despite not really understanding what the problem is however, everyone is keen to fix it and you can bet your life there is someone willing to sell you a product that will “secure” your mobile devices.
But here at the University of Oxford BYOD isn’t exactly a new thing! How many people out there using the Oxford network first connected their own device back in the early nineties? Today we have people connecting not just one device but many of their own devices (and also University owned mobile devices to boot). Think of any product you like and I’m sure you’ll find it on our network and it will have been there since it existed. Despite this we are still here.
So what really is the risk? There is certainly a concern over data protection and potential breaches involving confidential and/or personal information, though from the conversations I’ve had most people are worried about the use of email. This makes me ask the questions a) isn’t this an email issue rather than a mobile devices issue and b) why are you using unsecured emails for dealing with confidential data in the first place? How many people who are worried about email on mobile devices would happily log into untrusted, public kiosk machines wherever they are in the world? Of course there are people out there who are perhaps handling larger confidential datasets on their tablets or smartphones but the fact that someone uses an iPad seems to worry people much more than someone using a laptop regardless of how it is used.
I’m not saying these things are exactly the same or that there aren’t different vulnerabilities with different devices but does the fact that someone is using a “mobile device” inherently increase the risk to the point where we need a one-size-fits-all approach to securing such devices? There is an argument to say that people will take more care of their own expensive devices which contain primarily their information – perhaps the way forward is a policy to say that confidential data can be used on mobile devices so long as you keep naked photos of yourself on the same device
One threat that often seems to get overlooked (although not from within the technical security community I might add) is that of malware. This seems to be forgotten amongst the worry surrounding perceived data protection issues but if you wanted to target large volumes of information on an organisation’s mobile devices would you go out and start stealing individual smart phones or would you try and infect hundreds of them and collect the data from your living room? Come to think of it you’d probably target the data, not the device so things like email (again) are a prime target. On the other hand how many casual thefts of tablets and smartphones result in data actually being exposed compared with devices being stolen to be wiped and sold?
Of course we need to protect personal and confidential data wherever it may be and with the powers of the ICO to issue fines the impact of not doing so can be considerable. Despite that I hear many comments suggesting that damage to reputation is the key concern and I agree that this is something to to take into account. However fewer people seem to consider the reputational impact of constantly telling our users what they can’t do. We live in a world where the expectation of our users is soaring. People want access 24 hours a day, 7 days a week and they want if from whichever device they are using, wherever they are in the world. Surely meeting these demands and this expectation should be one if (if not the) major influences in our decision making and policy? Don’t we need to be thinking of ways to provide secure access to information regardless of device, location and time? After all, concentrate on securing particular devices and they will surely be out of date in a few years time?
Yes there are different and sometimes increased risks with mobile devices, but there are also many benefits too. And of course there are different environments (we don’t operate in a homogenous, managed or locked down one and the risks to us are different to that of, say, banks). Of coures we should secure information and encryption certainly has a part to play in that. But we also need to be concentrating on providing access to information and making it accessible in a way that allows people to work in the way that a modern, mobile society demands.
So the next time someone tells you that you need to be securing mobile devices, ask them if they know why?