Feature Article

June 13, 2013

Mobile Enterprise Security Must Not Be Ignored - What You Don't Know is a Dangerous Thing

Here is the fundamental enterprise mobility question: Do we today live in an inherently unsecure mobile business world? The extremely short answer is: We do. And let's add a fundamental statement: What you likely do not know about enterprise mobile security within your own business environment is a very dangerous thing. We're not given to hyperbole or sensationalist headlines, but enterprise mobile security is a serious issue in need of serious and immediate attention.

Yesterday we moderated a webinar on delivering mobility into the healthcare market. In the world of healthcare patient and data privacy and compliance, mobile security matters a great deal. The issue of course came up during the webinar, and it led us to think about the current state of mobile enterprise security in general; hence, the question above and what we believe, based on our current position in life - one where we speak all the time with both the mobile security vendors and the enterprise mobile world.


Image via Shutterstock

We got our start with enterprise mobility back in 2000. It happened in a MicroStrategy conference room while we were visiting with CEO Michael Saylor in our role then as editor in chief of Internet World Magazine. He had just gotten himself a new BlackBerry "messaging" device and push e-mail service, and he was excited. To demonstrate its value and importance, he sent his admin a wireless e-mail message - and moments later a lady came dashing into the conference room we were sitting in with a glass filled with ice and a can of Coca Cola that she popped open when she got there. Saylor turned to me and said, "Isn't that cool?!"

As much as we were thinking that had we tried that with our own admin, the can of Coke would most definitely have ended up being poured on our head, we nevertheless became mobile enthusiasts - to the extent that back at our own offices we began considering launching a mobile commerce magazine. We launched an Internet World column dubbed mCommerce and then drew up plans for a mobile magazine launch. We don't recall mobile security being all that much of a concern at the time - although there was constant chatter and concern about tapping into the wireless data airwaves and capturing wireless data streams - a different kind of security issue than those we face today.

BlackBerry was just at the beginning of its eventual mid-2000s enterprise mobile dominance back in 2000, and the mobile Internet was just coming into existence with the now properly god-forsaken WAP protocol (Wireless Application Protocol). The long defunct Industry Standard had declared back then in a cover headline something along the lines of: "If You Ain't Wapped Yer Dead." Mobile was in the air regardless of how primitive it - and the mobile phones trying to use it, was at the time.

Through it all and on into 2003-2008, BlackBerry built up an enormously secure mobile infrastructure and a huge set of security certifications that made it the darling of enterprises and government agencies. At one point during that time, Morgan Stanley, for example, had 40,000 die-hard and secure BlackBerry users. And enterprise IT people all the way up the ladder to the CIO and CTO (and eventually the new Chief Security Officer) lived a life of comfort and restful night sleep relative to enterprise mobile security.

Then the iPhone came along and everything changed on the mobile enterprise security front. Executives made demands and enterprise IT found numerous ways around formally strict security policies to allow them use of their iPhones. The iPhone revolution evolved of course into the BYOD revolution. The question that arises from all of this is a critical and fundamental one: Is business - no matter what that business is or how small or huge that business might be, now living in a fundamentally unsecure internal world? As we said up top, the answer is yes, we do.

Why is the Mobile Business World Unsecure?

The answer is a simple one - ignorance.

The fact is that most businesses naively believe they are taking all the necessary measures to lock down and secure their mobile apps, their BYOD mobile devices, their BYOD workforces and partners and their back-end technologies. This isn't the case across the board of course, but the problem is that for every company that is intensely aware of their mobile security issues we estimate that there are at least 15 that do not.

That is a purely anecdotal number based on our own ongoing conversations with enterprises over the years. The ratio may in fact be more, or even less, but even one unsecure mobile-driven business can eventually cause havoc for millions of users. Even a small business these days can have a million or more customers, and if one of these companies falls into the unsecure mobile category - well, from a consumer perspective you can certainly figure out the rest.

If you happen to be on the business side of that equation, can you really risk potential harm to any of your customers or partners? These security holes may come through simple holes in your mobile security strategies, or more likely from more sophisticated and well-hidden holes in your mobile security defenses.

It's not what you know but what you don't know about your security strategies that create significant danger - for your customers, partners and your workforce. When we speak to enterprises about mobile security the very first question we always ask them is whether or not they have active mobile security action plans in place. Yes, our question obviously takes into consideration BYOD - but we really don't need to overtly state this any longer. BYOD is the new law of the land and we can consider it to be inherently included in any mobile security discussion.

The very next question we ask is, "Is your mobile security action plan complete?"

Most companies answer the first question with a yes - but most have no answer to the second question! Why? Because they simply don't know. This is the huge mobile security issue of the day! In fact, any enterprise mobile security action plan needs to have that question as the very first item on the plan's checklist.

We and our colleague Peter Bernstein mull this mobile security issue over every day of the week and we constantly dumbfound each other (something exceedingly hard to do given our collective 60 years of tech industry analyst experiences) with stories of enterprises we've spoken to that "do not know" the true state of their mobile security capabilities.

Of course we both spend a good deal of time writing about it. But…the issue actually concerns us so much that we decided earlier this year that it was well worth taking some proactive action about it. To do so Peter and I worked out a one day mobile enterprise security program and event, and Peter has since taken it to a refined level.

As the event's conference chair Peter has evolved a solid one day mobile security event (being held in New York City on July 23, 2013) populated with expert and hands-on mobile security pros - people that we've known for quite some time and trust - that is built entirely on the idea of creating a highly actionable enterprise mobile security plan that leaves participants in the position of becoming fully aware of their exact mobile security states of readiness.

We are enterprise mobile champions and have been so going on 13 years now. But we are currently very vexed by the potential that exists for mobile enterprise security lapses and potential havoc. We very much want to encourage the business world to take mobile security far more seriously than is currently the case.

If your business IT team believes that you've got mobile enterprise security covered and that you have nothing to worry about and you believe your business is indeed protected, we welcome you to our growing list of companies that do not know what they do not know. Mobile security is an inherently shifting landscape and there is no such thing as a mobile security guarantee.

We urge you to create an actionable mobile enterprise security plan that requires reviews every three months - uncover those mobile security holes and truly keep your customers, workers and partners truly safe.




Edited by Alisen Downey


comments powered by Disqus

FOLLOW MobilityTechzone

Subscribe to MobilityTechzone eNews

MobilityTechzone eNews delivers the latest news impacting technology in the Wireless industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter