Michael Davis, author and chief technology officer for endpoint security company CounterTack, has it right when he argues that it's time to take the mobile out of mobile security. Whether the computer is a laptop, desktop, server, smartphone or tablet, the problem of securing data is the same, and lots of money can be wasted on products with the word "mobile" in front.
Scare tactics
For the last several years, security vendors have been trying to create a security crisis around mobile devices in order to sell technology. They unleash their marketing departments to scare the bejeezus out of you, and then offer their "solution" just before your nervous breakdown.
We all know that anti-virus vendors overstate the threat of mobile malware through a steady flow of reports showing large increases in the number of malicious apps. They also have labs of engineers whose job is to find and blog about mobile threats.
The scare tactics go beyond just malware. There's also the hammering about the bring-your-own-device (BYOD) trend and how employees are weakening security through the use of cloud storage services. And there's also the threat of downloading malware from app stores. A threat that's really a paper tiger, if you get your apps from Google Play or Apple's App Store.
Mobile malware has become a multi-billion-dollar business. Not only is there technology to tackle the problem, but a huge conference business has been built around it.
Fact is there's only one mobile-specific security risk, and that's losing a device carrying sensitive data or having it stolen. Beyond that, mobile security simply means protecting data, something companies have been doing on computers for years.
Understand mobile users
Rather than load a mobile device with unnecessary anti-virus software or imposing restrictions that wring all productivity gains from people using their smartphones for work, companies should figure out how employees are using their devices to do their job and react accordingly, Davis recommends.
For example, if employees are sending their work to storage services such as Google Docs or Dropbox to access on a mobile device later, then why not signup for an enterprise version of such a service and let employees use it at will? This would give employees what they want, while providing the access controls and security needed to protect data.
The point is if IT security pros want to get upper management to sign off on spending more for mobile security, then they need to focus less on the threat of malware and more on showing how doing nothing to secure devices will cost the business a lot more than taking a new approach.
In talking about IT security in general, John Pescatore, SANS director of emerging security trends, admonished chief security officers for "flogging the threat."
He went on to say it was time to "demonstrate solutions that work, that don't disrupt the business, and don't simply propose to keep smashing into the same walls, just wearing more padding in the future."
The same holds true for mobile security.