The military and mobile devices like smartphones and tablets were never an ideal match. The military requires a lot of security whenever transmitting data in any form, while smartphones and tablets carry security risks with bad apps and public Wi-Fi. Yet, last summer, the Pentagon admitted that technology was moving forward and the time had come to develop a strategy to use mobile technologies while ensuring good data security.
However, a recent check on mobile security shows that while Army personnel have embraced smartphones and tablets, they have not embraced good security habits. According to Wired, while the devices aren’t secure when purchased, there is an expectation that the individual users will implement good security practices:
Predictably, soldiers didn’t. At West Point, 15 out of 48 inspected mobile devices didn’t even have passwords set up. The Army’s Engineer Research and Development Center in Mississippi had more devices password-protected, but the smartphones and tablets used for two pilot programs “did not meet password complexity requirements,” the Pentagon watchdog found. And that’s leaving aside the bitter truth that passwords don’t provide adequate security.
Passwords are just the start. The phones and tablets – and that includes BYOD -- according to NBC, aren’t receiving the appropriate authorizations to be secured.
For an organization that is all about national security, the lax mobile device security is appalling, and I would suspect – or at least I would hope -- not what Pentagon officials had in mind when they agreed to allow the use of phones and tablets.
On the Sophos Naked Security Blog, writer Beth Jones did praise the military for instituting a good policy regarding geotagging so military personnel couldn’t take pictures that would reveal their locations. But when there are so many other lapses, she asks, can you be totally sure this policy is working as planned?
Jones also pointed out this thought:
And if the United States Army, with all the endless policies, is having a difficult time with BYOD, how is a small or medium-sized business going to cope?
It’s a good question, but I think the answer can be seen from two points of view. The first is not so much that the Army has endless policies, but that soldiers are trained from day one to follow policies. If they are so easily able to toss aside cybersecurity policies, then yes, it is hard to imagine how SMBs will cope with enforcing policies. On the other hand, the military is so large and diverse, while the SMB is smaller and should be easier to monitor. This spot check covered 14,000 devices. Even in a small company, is it unreasonable to manage and monitor BYOD security policies?
To me, the takeaway of this story is that no one is immune to cybersecurity lapses, even the best trained security people in the world. That’s why, no matter the size of your operation, your BYOD policy has to be clear and enforced to all who use it.