I get several surveys a month in which a security company surveys a few hundred customers to ask whether they're concerned about various threats. Invariably, the answers reveal that IT is concerned about security issues, which isn't so surprising considering part of IT's job is to be concerned about security. I usually ignore the surveys because they're blatantly meant to boost sales of the vendors' products by scaring IT into thinking their companies are in danger.
After reviewing yet another "study," I realized an interesting fact: The concerns aren't based on actual issues. Check Point Software got my attention with a survey claiming that "71 percent say mobile devices have contributed to increased security incidents." "Wow!" I thought, "that's a huge degree of incidents that no one else has reported."
[ Updated for iOS 5, Android 4, BlackBerry OS 7, and Windows Phone 7.5: Learn how to manage mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
I asked Check Point where that figure came from, given how there have been no major incidents reported of security breaches due to lost smartphones or tablets, hacked mobile devices, or any of the ogres that security vendors keep warning about. The answer was very convoluted but boiled down to a laundry list of what IT is concerned about -- not about actual incidents that have occurred. In other words, it's a survey about fears, not realities -- basically the PR equivalent of scareware.
Believe me, if security vendors could point to real incidents, they'd be all over them like maggots on a corpse.
Check Point is hardly alone in such fearmongering. I routinely get similar "survey" results and scary conclusions from firms in the mobile security business, such as recently from Symantec, McAfee, Trend Micro, IBM, Lookout, Confident Technologies, and even Kensington, which makes locks for mobile devices and computers. I also get them from consultancies that regularly decry the lack of sufficient spending on security (no amount is ever enough, you know) and have recently begun to raise the specter of insufficient mobile security -- for which they are happy to consult on, of course. Two recent examples are Deloitte and Ponemon Institute.
IT would be foolish not to think about security issues involving mobile devices, but when it comes to security, mobile devices per se are rarely the issue. The fact that privacy breaches reported typically come from two sources -- lost USB thumb drives and lost laptops, not from mobile devices -- suggests that the problem is the PC and the lack of easy file transfer and out-of-office access; the main reason employees put corporate data in thumb drives is to bring it home to work on it there, such as after the kids are in bed. That's what IT needs to fix, not add one more security product to the mix or shut off access via mobile devices "just to be safe."
Dealing with lost laptops should be easy -- and without fear of privacy-breach disclosure costs -- if they are encrypted, but the truth is that businesses have been lax about PC encryption for years even as many insist on mobile device encryption. Ironically, the insistence on mobile encryption seems to have begun a serious move to encrypting all devices, including PCs, which is a good development.