Surveys show IT’s unfounded mobile security fears

I get several surveys a month in which a security company surveys a few hundred customers to ask whether they’re concerned about various threats. Invariably, the answers reveal that IT is concerned about security issues, which isn’t so surprising considering part of IT’s job is to be concerned about security. I usually ignore the surveys because they’re blatantly meant to boost sales of the vendors’ products by scaring IT into thinking their companies are in danger.

After reviewing yet another “study,” I realized an interesting fact: The concerns aren’t based on actual issues. Check Point Software got my attention with a survey claiming that “71 percent say mobile devices have contributed to increased security incidents.” “Wow!” I thought, “that’s a huge degree of incidents that no one else has reported.”

I asked Check Point where that figure came from, given how there have been no major incidents reported of security breaches due to lost smartphones or tablets, hacked mobile devices, or any of the ogres that security vendors keep warning about. The answer was very convoluted but boiled down to a laundry list of what IT is concerned about — not about actual incidents that have occurred. In other words, it’s a survey about fears, not realities — basically the PR equivalent of scareware.

Believe me, if security vendors could point to real incidents, they’d be all over them like maggots on a corpse.

Check Point is hardly alone in such fearmongering. I routinely get similar “survey” results and scary conclusions from firms in the mobile security business, such as recently from Symantec, McAfee, Trend Micro, IBM, Lookout, Confident Technologies, and even Kensington, which makes locks for mobile devices and computers. I also get them from consultancies that regularly decry the lack of sufficient spending on security (no amount is ever enough, you know) and have recently begun to raise the specter of insufficient mobile security — for which they are happy to consult on, of course. Two recent examples are Deloitte and Ponemon Institute.

IT would be foolish not to think about security issues involving mobile devices, but when it comes to security, mobile devices per se are rarely the issue. The fact that privacy breaches reported typically come from two sources — lost USB thumb drives and lost laptops, not from mobile devices — suggests that the problem is the PC and the lack of easy file transfer and out-of-office access; the main reason employees put corporate data in thumb drives is to bring it home to work on it there, such as after the kids are in bed. That’s what IT needs to fix, not add one more security product to the mix or shut off access via mobile devices “just to be safe.”

Dealing with lost laptops should be easy — and without fear of privacy-breach disclosure costs — if they are encrypted, but the truth is that businesses have been lax about PC encryption for years even as many insist on mobile device encryption. Ironically, the insistence on mobile encryption seems to have begun a serious move to encrypting all devices, including PCs, which is a good development.

What’s rare on mobile are viruses and hack attacks — the very vulnerabilities the fearmongers like to cite, playing off the history of Windows PCs and projecting it to the mobile environment, despite the fact that mobile OSes are designed much more securely than Windows. (Yes, Windows is getting better each version.)

Worry about real, demonstrable threats if you must. In mobile, social engineering attacks are the overwhelming threat — in other words, phishing through emails and messages, social sites such as Facebook, honeypot websites, and even QR codes (the scannable graphics that hold embedded URLs). On Android, there’s the added vector of the malware-laden Android Market. Phishing is a big problem across all Internet-connected technologies and not unique to mobile. There’s not much technology can do to prevent phishing’s success, as the user is fooled into giving the malware permission to execute.

IT should remember that any survey from a vendor is self-interested, and its conclusions are going to justify its offerings. After all, there’s no other reason for a vendor to share survey results. You can bet that as soon as a technology looks to gain popularity, a slew of vendor studies will quickly tell you how absolutely dangerous it might be. If you work in IT you’re likely very busy, so save yourself the time and fake scares; instead, ignore them. You already know what they’ll say: Any technology is inherently unsafe, and users can’t be trusted.

The answer to this dilemma of course is to shut down all the technology systems and fire all the people — then you’re certain to be safe. Then again, I’m sure there’s a survey that says you’ll still be unsafe. Those monsters under the bed could still be there. A meteor is probably heading your way as well.

This article, “Surveys show IT’s unfounded mobile security fears,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.