They really make my blood boil: the stupid, heavily self-interested, and ultimately dishonest surveys that cry doom and gloom about normal human activities at a time when people are trying to get focused on joy. It's a horrible mashup of Halloween and Christmas, where the security succubi and risk vampires not only won't leave but seem intent on making everyone else revel in their misery. Why this pattern recurs each year, I don't know, but Christmas does seem to bring out the security Grinches in full force.
Here's an example of what I mean, from a recent news report: "Holiday shopping with personal devices at work could pose security risk," based on a pair of "studies" by the security and accounting professionals' association ISACA. Umm, so you should insist that your employees use business devices for holiday shopping instead? Last year, I decried a Symantec "study" warning companies that employees' use of iPads and other mobile devices over the holidays from home or vacation spots could infect the network and bring down the business. So you should not let employees use their devices, broadband access, and PCs to work on their own time and/or from home for you any more?
[ InfoWorld's Roger A. Grimes makes the case for realistic security methods. | See why a highly controlled mobile strategy is the least secure option. | Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. ]
If I were a CEO and my CIO or CSO came to me and said, "We need to buy tools and dedicate resources to make sure that our employees aren't shopping on their Androids and iPhones because they might get malware and bring down our business," I'd give that person a Christmas gift in the form of severance. Ditto if I were a CIO or CSO and one of my technical staff made the same recommendation.
Seriously -- because this kind of "see danger everywhere and act on every possible danger" mentality is itself dangerous and needs to be rooted out before it seriously impairs your business. Execs, CIOs, and CSOs all need to be on guard against such FUD and weed out those who are susceptible to it. I suggest you rethink your professional dealings with associations and vendors who put out this kind of dangerous nonsense.
This ISACA survey is a perfect example of security fears becoming a corporate liability, not just a threat to IT (which it does by reinforcing the notion that IT is about preventing people from functioning). Imagine if you acted on these ISACA studies: You'd have to block all personal devices from access to your corporate network. Or spend money and time implementing new security software that interferes with basic user activities. That's a huge cost in employee morale, employee productivity, and of course IT resources. And for what? You won't be more secure.
Consider all the ways the ISACA pair of "studies" is dangerous:
First, it suggests this is a mobile issue. It's not. The risk is largely that of phishing and secondarily that of malware. The phishing risk is endemic to any communications device: PCs, smartphones, tablets, telephones, and paper mail. Treating it as a mobile issue diverts resources and attention to a single endpoint and tends to obscure the larger threat. You should deal with phishing mainly through education and reinforcement (that is, doing your own internal phishing to teach people the risks and patterns), and use technology as a supplement (knowing full well that most antiphishing technology is highly inexact and thus not a cure-all).
The malware risk is an issue specifically with Android, due to its unmanaged app enviroment and its unpatched ecosystem -- it is not an issue with iOS or BlackBerry OS. And it's the same risk that exists for PCs.
Unfortunately, the security-industrial complex has decided that mobile is its new opportunity to make money, and it's doing its best to make companies spend big money on small risks at a time when the economy is bad and every penny counts. Now everything related to mobile is trumpeted as a risk, yet the reality is that mobile risks are tiny; the real risk is on the traditional PC.
If your IT security people don't already have a strategy to deal with phishing and malware risks across the board, they deserve the gift of a severance.