Awhile back, BlackBerry announced the acquisition of WatchDox, a secure collaboration platform that is apparently classified as “visionary” by the Gartner Group. This week, it announced BlackBerry integration and expanded the multi-OS range of the offering, which now covers Samsung KNOX, Android for Work, and Secure Work Space for iOS and Android. Finally, it integrated Enterprise Identity, providing an authenticated consistent secure access tool bridging mobile devices, PCs and the web with a single sign-on.
Given the disclosures of state-level cyberattacks and information theft and the known vulnerabilities with Android in particular, you’d think that offerings like this would be massively popular. If we were talking exposures like this for the PC platform and a similar dearth of tools, this class of product would be seen as critical to the security of the firm and the assured tenure of the CIO. But that doesn’t appear to be the case here. I think it comes down to some stupid policy decisions that have unfortunately left companies far more vulnerable than they should be.
9/11 Lessons
As we approach September 11th, it is increasingly easy to think about the failures to defend against that attack in the context of our current security threats. The country had adequate warning of the attacks, even down to passengers being able to call down from the soon-to-be crashed planes. The issue was turf and coordination. In fact, when air defenses were finally scrambled, it was because someone violated policy to do so. The frightening thing for most of us with a security background was that much of what was done afterward to protect against another 9/11 event was not related to the attack, and things that were known to be broken, like interagency conflicts, weren’t adequately addressed. Today, the same kind of attack in the same place could be successful if the attackers just switched to smaller private aircraft, came in at low altitude, and increased the numbers of planes. We saw this demonstrated earlier in the year, when a pissed-off postman flew a gyrocopter onto the White House grounds (recall that the White House was one of the initial targets for the 9/11 attack, and could be again).
The Issue with Smartphones and Tablets and the Problem with BYOD
With PCs, for the most part, IT owns the machines and clearly owns the responsibility to secure them. If you are going to attack a PC user, an attacker is best served using a phishing attack because these machines are typically protected by layers of security software. Now, that software may not be adequate, but it is very rare to find a corporate PC that isn’t running some form of anti-malware protection coupled with some form of central monitoring to assure timely patches and updates.
Tablets and smartphones are the exact opposite. While they may be, and often are, used in secure government facilities, hospitals, and on trading floors, it is still more of an exception than a rule to see them adequately secured and centrally monitored.
The reason is that ownership is either unclear or the device is owned by the employee. Much like we find with employee-owned PCs not being patched in a timely manner, adequately secured, or effectively protected, the entire class of mobile devices is being treated in much the same unacceptably unsecure fashion. A lack of clear responsibility is at the heart of what is clearly a very foolish policy.
For line or IT to base their career survival on a turf defense, saying “it isn’t my job,” in the face of an Ashley Madison-style, company-killing breach would be laughable if it wasn’t potentially so tragic. After the fact, executive management is likely to conclude that it is both line and IT’s responsibility to assure security and, instead of one successfully hiding behind the other, both are likely to be badly shot. Even if they aren’t, if the firm fails, they will be out of their jobs, regardless.
Wrapping Up: Security Is Everyone’s Job
How is your mobile device secured? After a breach involving a mobile device, would the security policy, technology, implementation and oversight be seen as adequate? These are two questions you should be asking yourself about the device you carry and the devices your folks use. If it is your device that is compromised, surviving what follows is iffy, particularly if it is found that the device was inadequately secured. Hillary Clinton’s email server scandal showcases that even if the device isn’t known to be compromised, a security review could still result in decisions that would get anyone short of a presidential candidate fired.
In short, it is your job to make sure the device(s) under your control are adequately protected. If you feel it is someone else’s job, then it is your responsibility to make sure that job is done. Post breach, with something under your control as the source of the breach, the argument that it wasn’t your job will likely be made in your exit interview. In the end, security is never the other guy’s job, it is everyone’s job, and folks forget that at their peril.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+