Securing mobile devices is a continuing challenge for enterprises as they deploy more mobile applications. In some cases, security risks are overblown; in others, they are underestimated. What myths about mobile security should IT security managers be aware of?
1: Mobile devices don't need encryption
A surprising number of companies don't implement data encryption on mobile devices. If these devices are being used as thin clients only, with enterprise data being stored in the cloud, there is less need for encryption. However, more and more mobile devices store contacts lists, photos, price lists, sales notes, and other sensitive information. The localized storage enables field-based personnel to keep working even if the cloud becomes unavailable. For these reasons alone, encryption should more widely considered.
2: Wearables don't need to have security practices applied
Wearable devices are just beginning to make an entry into enterprises. In early applications, they are used for things like capturing photos of crime scenes in police work and photos of equipment in the field that needs repair and must be referred to an internal company expert. However, less than 60% of these devices are secured, according to a recent Tech Pro Research mobile security report. As more of these devices are dispensed for field operations, IT might need to rethink this.
3: It's okay to skip mobile security evaluations in IT audits
When it comes to mobile devices, organizations tend to focus their mobile security audits on the network and its centralized monitoring and downloads to these devices. They should also focus security audits on employee mobile device practices in the field and on the security measures that are resident on devices themselves.
SEE: Securing your mobile enterprise (ZDNet special feature)
4: Mobile devices are inherently less secure than desktop devices
Mobile device security doesn't have to be less robust than the security found on desktops. In some cases (such as the ability to track and shut down mobile devices remotely), mobile devices might even be more secure. Mobile devices also have small data footprints, using the cloud to store data, so they are unlike "fat client" laptop counterparts that have hard drives full of data. As a result, less data may be exposed to security breaches on mobile devices.
5: BYOD devices promote lax security practices
This isn't necessarily the case. If IT has firm guidelines for qualifying which mobile devices will be accepted in its BYOD program, coupled with usage practices and IT security practices that are uniformly enabled, monitored, and administered on these devices, BYOD can be just as secure as enterprise-issued mobile devices.
6: Mobile devices have more security software vulnerabilities
Mobile devices do not have any more software security vulnerabilities than desktop computers. The difference is that mobile devices are in the field, so IT has to enact a centralized method of delivering new security and software patches down to these devices from the network as soon as patches are available.
7: Mobile devices don't need two-factor authentication
Mobile devices are prone to being misplaced or lost, so the additional security sign-in code that goes beyond just user ID and password can help to secure them. It's advisable for all mobile devices to use two-factor authentication, which require a secret signing code (e.g., where you went to high school) as well as a user ID and password for access.
8: Laptops are less vulnerable to security breaches than tablets and mobiles
Laptops and desktops in the office aren't necessarily more secure than mobile devices. A primary reason is that many laptops and desktops still contain resident hard drives that store sensitive data. This creates greater risk that data can be stolen, comprised, or shared with unauthorized users.
9: Desktop PCs and laptops don't get lost
Laptops and desktops do get lost, although not at the same rates as mobile devices. Even five years ago, lost laptops were costing organizations $18 billion annually—and the problem still exists today. IT should track this equipment with asset management software and other measures, in the same way it tracks lost or misplaced mobile devices.
10: Public app stores are safe
Smaller companies lacking their own network infrastructures for downloads will sometimes use public app stores to effect these downloads to their users—and in many cases, companies of all sizes will use public app stores to download handy applications to their end customers. These app stores have taken numerous precautions to ensure that downloads are safe and secure—but it doesn't mean that they don't experience security breaches, malware threats, and hacks. The best policy (especially for internal application downloads) is to create your own download procedures that your network administrator directly oversees.
- Executive's guide to mobile security (free ebook)
- The not-so-cute side of emojis: Potential security, privacy, and bandwidth issues
- Mobile security for iOS: Getting better with CM Security, but slowly
- Skyrocketing Android ransomware has quadrupled over past year, says new report
- Home usage of company-owned equipment policy (Tech Pro Research)
Have you been misled by other misconceptions about mobile security? Share your experiences with fellow TechRepublic members.
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.