Mobile device security can be a difficult sell
Many firms play wait-and-see as industry, technology evolve
Enticing people to buy a BlackBerry pager to send and receive emails away from their desk was a tough sell when Jeff Holleran joined Research In Motion Ltd. in late 2001. Fourteen years later, he’s facing maybe an even tougher task: getting mobile users to secure all their information — and foot the bill to do it.
According to a survey commissioned last summer by BlackBerry Ltd., seven out of 10 people in charge of risk and compliance deemed mobile devices to be their company’s biggest cybersecurity threat, yet only 30 per cent of the 780 respondents felt they were adequately protected. What’s worse, by now, those security mechanisms that made the 30 per cent feel at ease are likely outdated.
Companies in Canada are already as much as 18 months behind their U.S. counterparts in adoption, said Roi Ross, director of business mobility products at Telus Corp., one of the hundreds of software resellers. But it’s not just a thrifty mindset keeping organizations on the sidelines: It’s that mobile security is so hard that it seems some are opting to kick the can down the road instead of addressing the elephant in the room.
Richard Tam, chief administrative officer at Mackenzie Richmond Hill Hospital, located in a suburb north of Toronto, said the increasing mobility of patient data and care is generally being avoided. “A lot of people are trying not to deal with it,” said Tam, because “once you open up mobile health, you have to deal with all the issues.” And many hospitals administrators in North America are choosing to keep that door closed.
“It’s not like you can just drop the software in and it works,” Ross said in an interview. It takes time to test, select, configure and install, and then train employees to use it. Also, “some people are hoping to see some shakeout, or consolidation, in the industry” before choosing their provider. And, so, the gap lives on.
The market has already faced pricing pressure and consolidation. VMware Inc. acquired AirWatch LLC in 2014. IBM Corp. bought Fibrelink Communications Corp. in 2013. Citrix Systems Inc. purchased Zenprise Inc. in 2012. More marriages are expected. Holleran estimates 80 providers are left jostling for business, promising to thwart intruders who try to smash a virtual window or climb in one that’s been left wide open.
But just as the C-suite was warming up to the idea of fortifying phones and tablets, the industry has taken a noticeable shift from blanketing entire devices in bubble wrap to safeguarding corporate data irrespective of where they are being stored, as files travel in and out of an organization and back in again.
This new focus, called Mobile Application Management, or MAM, is a response to the proliferation of the Bring Your Own Device (BYOD) policy, which, for all its costs savings, is exposing firms to new liabilities.
“We’ve moved past the base of MDM (Mobile Device Management). In fact, we see it as just table stakes,” said Holleran, now vicepresident of corporate strategy at BlackBerry. “That’s just what you have to bring to the table to play in this space. You have to do interesting things that help companies out.”
Further muddying the waters in this space is that some statistics and reports suggest securing cellphones should rank much lower on the IT to-do list.
For example, according to a weekly analysis conducted from July to December by Verizon Enterprises Solutions, an average of 0.03 per cent of the phones connected to its U.S. wireless network were “infected with ‘higher-grade’ malicious code,” per findings from its 8th annual Data Breach Investigations Report.
“Is this something that we should be paying a lot of attention to and paying a lot of time on? Statistics say no,” David Ostertag, global investigation manager for the investigative response unit at Verizon, said in June at an industry conference in Toronto. “This is an area where we can take our resources and apply them somewhere else. We just don’t see the mobile device in breaches.”
But just because you can’t see them doesn’t mean data leakage or breaches haven’t taken place, Holleran warned. “You only read about the ones that people are forced to disclose,” he said.
That’s because the threat is coming from seemingly innocuous sources, not just savvy hackers.
It’s the employee who gives a phone to their kid before erasing company data. It’s a forgotten confidential file on a USB stick. It’s a former sales rep who takes your clients and their order activity over to a rival. It’s the hazard posed by downloading many third-party apps that can be gateways into a device and beyond.
IT decision makers have to shake the feeling that the only reason an intruder wants to breach a phone or a tablet is to steal a file sitting on the device, said Christy Wyatt, chief executive at Sunnyvale, Calif.-based software provider Good Technology Corp. Data retrieved on mobile devices can also help hackers launch an attack from another medium and do so with little trace, making it tougher to detect and defend against.
“You have to assume that you’re always under attack and you can’t assume that the thing that’s vulnerable is the surface people are attacking first,” Wyatt, who grew up in B.C.’s Okanagan Valley and went to school in Nova Scotia, cautioned in an interview. “There isn’t an employee that doesn’t have something that could be used against you. That’s really the big vulnerability and people are not yet acknowledging it.”
This is an area where we can take our resources and apply them somewhere else. We just don’t see the mobile device in breaches.