Mobile security: Security Grinches’ misleading scare tactics

They really make my blood boil: the stupid, heavily self-interested, and ultimately dishonest surveys that cry doom and gloom about normal human activities at a time when people are trying to get focused on joy. It’s a horrible mashup of Halloween and Christmas, where the security succubi and risk vampires not only won’t leave but seem intent on making everyone else revel in their misery. Why this pattern recurs each year, I don’t know, but Christmas does seem to bring out the security Grinches in full force.

Here’s an example of what I mean, from a recent news report: “Holiday shopping with personal devices at work could pose security risk,” based on a pair of “studies” by the security and accounting professionals’ association ISACA. Umm, so you should insist that your employees use business devices for holiday shopping instead? Last year, I decried a Symantec “study” warning companies that employees’ use of iPads and other mobile devices over the holidays from home or vacation spots could infect the network and bring down the business. So you should not let employees use their devices, broadband access, and PCs to work on their own time and/or from home for you any more?

If I were a CEO and my CIO or CSO came to me and said, “We need to buy tools and dedicate resources to make sure that our employees aren’t shopping on their Androids and iPhones because they might get malware and bring down our business,” I’d give that person a Christmas gift in the form of severance. Ditto if I were a CIO or CSO and one of my technical staff made the same recommendation.

Seriously — because this kind of “see danger everywhere and act on every possible danger” mentality is itself dangerous and needs to be rooted out before it seriously impairs your business. Execs, CIOs, and CSOs all need to be on guard against such FUD and weed out those who are susceptible to it. I suggest you rethink your professional dealings with associations and vendors who put out this kind of dangerous nonsense.

This ISACA survey is a perfect example of security fears becoming a corporate liability, not just a threat to IT (which it does by reinforcing the notion that IT is about preventing people from functioning). Imagine if you acted on these ISACA studies: You’d have to block all personal devices from access to your corporate network. Or spend money and time implementing new security software that interferes with basic user activities. That’s a huge cost in employee morale, employee productivity, and of course IT resources. And for what? You won’t be more secure.

Consider all the ways the ISACA pair of “studies” is dangerous:

First, it suggests this is a mobile issue. It’s not. The risk is largely that of phishing and secondarily that of malware. The phishing risk is endemic to any communications device: PCs, smartphones, tablets, telephones, and paper mail. Treating it as a mobile issue diverts resources and attention to a single endpoint and tends to obscure the larger threat. You should deal with phishing mainly through education and reinforcement (that is, doing your own internal phishing to teach people the risks and patterns), and use technology as a supplement (knowing full well that most antiphishing technology is highly inexact and thus not a cure-all).

The malware risk is an issue specifically with Android, due to its unmanaged app enviroment and its unpatched ecosystem — it is not an issue with iOS or BlackBerry OS. And it’s the same risk that exists for PCs.

Unfortunately, the security-industrial complex has decided that mobile is its new opportunity to make money, and it’s doing its best to make companies spend big money on small risks at a time when the economy is bad and every penny counts. Now everything related to mobile is trumpeted as a risk, yet the reality is that mobile risks are tiny; the real risk is on the traditional PC.

If your IT security people don’t already have a strategy to deal with phishing and malware risks across the board, they deserve the gift of a severance.

Second, it suggests the risk is in personally owned user devices. If you really believe that, you should disallow use of home PCs as well, and perhaps of remote access. After all, anything you don’t own and tightly control could be compromised. Per the news reports, the ISACA “study” recommendations boil down to “because the device connects to corporate networks and accesses data at times, its use for personal online transactions can post a significant hacker risk to companies unless precautions are taken.” Let’s get real: Whether you own a device or not, it’s at risk if it accesses the Internet, which means every computing device is at risk, including the ones you own and provision.

There are still some IT and security pros who want to stop the BYOD phenomenon, and surveys like this cynically play into that outdated thinking by reinforcing the fake notion that the issue is who owns or selects the device. Deep down, any CSO or CIO knows that ownership is not really the problem, because if it were an issue of who bought or chose the device, you wouldn’t need to spend all that money on antimalware and intrusion-detection technology for your corporate PCs and networks, would you? But of course you do. The risk is not related to ownership but to management.

If your IT security people are looking to kill BYOD, they deserve the gift of a severance. After all, the paranoid approach to BYOD costs more and is less secure than a rational, policy-management-based approach.

Third, it suggests that employees should not do personal things. This fear is related to the BYOD fear and comes from a fundamental distrust of people — those annoying cogs without which the business could not exist. We heard this when people first got phones at their desks, then when the PC came into corporations, then when printers got connected via the network, then when email came in, then when the Internet came in, and now we’re hearing it again with mobile devices.

Sorry, but employees are not slaves or robots you can force to do only what you will. And in a world where professionals are expected to work during personal hours, the long-accepted trade-off is that employers have to return the favor and be flexible during work hours. The 9-to-5 job doesn’t exist for many people any longer.

Given the realities of employees doing personal things at work and work things at home, the only real solution to this risk is to protect your networks and your information where it resides, because any device anywhere could be used for personal transactions. Business transactions can’t be guaranteed to be safe, either. This risk has existed for the last 15 years of our Internet-connected world, so it does not justify panic today.

If your IT security people want to restrict employees to only business resources during work hours at the office, they deserve the gift of severance. That line of thinking assumes a perimeter world that’s long gone, and anyone clinging to it is building protections for a Soviet fantasyland.

CSOs, IT security staff, and other risk managers by nature are supposed to be paranoid, to see risks everywhere. Not only are their glasses half empty, but they’re likely hiding a tasteless, slow-acting poison. You want some of that in your organization to identify risks. But that paranoid thinking is inappropriate to decide the risks you act on. The ones you put in charge of risk management — whether in IT, a security office, a legal function, independent risk officer, or some risk group — need to leave the paranoia at the door and do rational risk assessment. No company can afford to secure everything: The spend is infinite, the ability to get work done slows to a crawl, and your best people will leave to where they can actually do stuff. That’s a much bigger risk than employees buying Christmas gifts on their iPhone, Galaxy Tab, home PC, or office laptop.

The next time you see one of these scaremongering studies, note who’s behind it and take that organization off your list of trusted advisers and partners. Risk is real, but fearmongering is a sign of desperation and cynical calculation. There are plenty of security pros and vendors who don’t resort to such tactics to help you address real risks realistically. Use them instead. Don’t let the security succubi and risk vampires into your world — at any time of the year.

This article, “Mobile security: Security Grinches’ misleading scare tactics,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.