Through direct conversations with business managers and end users, as well as stories from my colleagues in IT, I’ve heard one phrase a thousand times: “I don’t have anything of value on my smartphone.” It’s the main reason (see: excuse) that people don’t put passwords on their mobile devices. Yet I’m convinced it’s a fundamental way of thinking that’s leading to many of the data breaches we hear about.
Smartphone Security Matters
The downplaying of smartphone security risks seems justified. After all, in many cases, they’re seen as mere communication devices rather than computing devices. It can be argued that a good portion of people aren’t even aware of the technology at their disposal, let alone the information being stored that’s facilitating unnecessary risks with smartphones.
The average smartphone today has gigabytes worth of storage potential, often with the option to add more. Virtual private network (VPN) connections are made with these devices. Corporate emails are accessed. Sensitive files are loaded, stored and shared. Mobile apps are downloaded and used as needed.
Imagine the possibilities for data breaches when devices are lost or stolen, used on unsecured wireless connections and even infected with malware. The typical smartphone is just about as powerful as — and has as much or more utility than — modern laptop computers, yet we’re still treating them as novelty items.
Executives Must Take the Lead
The phenomenon of “I don’t have anything of value” comes from all employees, but it’s executives that seem to say it the most. Ironically, these are the people whose phones — and the information stored on them — are at the greatest risk!
Just recently, I heard a C-level executive say, “The phones belong to our users, so there’s nothing we can do about them.” I’ve heard this many times before. It’s as if many business leaders have given in to the perceived reality that users call the shots. Or, just as badly, they view it as something that IT is handling and they leave it at that.
Smartphone vulnerabilities are not just a technical problem for IT or security teams to fix. This is a business risk that needs to be addressed — and enforced — at the highest levels of the organization. Acknowledge the security challenges these seemingly innocuous devices are creating. More importantly, vow to address the issue and then make sure it happens. Be it passwords, a full-blown mobile device management (MDM) system or ongoing assessments, do something about the security of your smartphones before they end up making you look dumb.
Independent Information Security Consultant