Is your agency’s mobile strategy secure?
The rise of mobile and BYOD solutions has changed the way employees interact with their organizations. But the security of mobile applications is in question. There is a wide cybersecurity gap in many mobile apps.
A recent study by IBM and the Ponemon Institute found that half of the organizations it surveyed don't invest in mobile app security, and 20 percent of the ones that do aren't taking adequate precautions to secure their mobile applications. Much of this is due to a pressure to release apps: 65 percent of respondents admitted that they sometimes put customer demand ahead of their security needs.
According to the report, the surveyed organizations only dedicated 5.5 percent of their app development budgets to security. And the human resources to facilitate that security development is lacking: only 41 percent of respondents say that they have professionals with the security expertise required to ensure their app security.
"It's infeasible to check the security of every app on every device that every employee brings in."
Organizations that are starting to try out BYOD solutions should beware – it's infeasible to check the security of every app on every device that every employee brings in. The data backs this up: The IBM/Ponemon study cited that most organizations don't have a policy in place for the use of mobile apps in the workplace.
Employees using mobile apps is a major concern to security teams: it has led to a significantly or very significantly increased security risk,. And many of those organizations simply don't have the budget or expertise to properly secure their systems. This is particularly important for federal agencies, where "organizational security" often means "national security."
Smartphones, dumb policy
BYOD schemes pose some serious risks to organizations. A study by MessageOps and Champion Solutions Group reported by eWEEK showed that almost a quarter of organizations using BYOD do not implement lockouts after multiple failed password attempts, and even more don't implement security lockouts after a period of inactivity. Without basic security precautions like these, organizations are left open to all kinds of attacks.
Federal Computer Week goes into some of the complications inherent in a secure BYOD ecosystem. It's a strategy rife with possibilities for security holes, considering that smartphones don't generally have the same kinds of security features that modern PCs do. But mobile security doesn't have to be broken. Agencies that outsource IT service management can make sure that mobile platforms are developed by experts in the field who can prioritize cybersecurity, ensuring that smartphones don't become the vector for data breaches.
"It's important to identify where BYOD is useful, and where it's a security risk."
FCW's article goes into some of the broad tools recommended by the Obama Administration, such as implementing virtualization and "walled garden" data segregation. Additionally, FCW notes that it is important to identify where in an organization BYOD will be useful, and where it will be an undue security risk. Plenty of organizations might find that BYOD just will not work for their needs.
Evaluating where a BYOD strategy should best be used should be an ongoing conversation for federal IT departments, but it should focus on making sure that sensitive data never has to reside on insecure parts of a device's operating system. There is no one silver bullet for security, so designing a holistic approach to security both on and off mobile is the best way for organizations to make sure that they're keeping data safe.
Information assurance is a huge, complicated task. To alleviate this burden, it's a good idea to partner with a firm that can help provide mobile platform development with an eye on security, where they can balance security with functionality.