Which aspects of endpoint security should be on the CIO radar? In this three-part webcast, Jack Gold, president and principal analyst at J. Gold Associates LLC, looks at the weakest links in endpoint security. In part one, Gold addressed why endpoint security should matter to the CIO. In this second part, Gold looks at BYOD and security issues, including the importance of governance and policy in these areas.
Jack Gold: From a bottom-line perspective on this democratization issue, BYOD [bring your own device] and democratization really require a new view on what management includes and how security is achieved. It's not the old days. It's changed dramatically. So what is it that you need to do? What are some strategies to deal with this diversity? It's getting very messy out there -- there are lots of devices [and] lots of applications.
One of the things that you need to think about is dealing with this popular choice, and you need to create a number of coping strategies. We've listed six on this chart. There could be more depending on your organization. No. 1 is define end-user classes. Not all end users are created equal. Some should have access to a variety of tools and capabilities in back-end systems; some, maybe not. Also, build a device matrix that is very similar. Some devices are safe, some should have access, some perhaps not so much.
Create a checklist for deployment. It's important to know what you're actually deploying out there and how you deploy it. So if I walk in with a BlackBerry, and you walk in with an iPhone, and someone else walks in with an Android device, they're not exactly the same. So figure out how you're going to deploy each of the devices.
Also, decide how you're going to improve various devices. Again, not all devices are created equal. Should you support each and every device there is out there? And the answer is probably not. There are some devices that you will support or at least offer a high level of support, and some that you won't -- or at least [will] offer a low level of support.
Also, who gets to pick the app? Is it ultimately the consumer, the end user that goes out and gets an app? Or is it IT? Or is it a combination of the two? It really should be a combination of the two. There are some apps that just aren't suitable for corporate environments.
And finally, implementing governance and policy -- this is an area where many companies don't do an acceptable job, where they don't spend enough time in governance and policy and security suffers. This chart on the right, this little graphic is something we call The Security Gap. And in a nutshell, it shows you where security and diversity -- those are the two axes, security being the vertical axis, diversity being the horizontal axis -- and IT control and user choice both converge and diverge.
One of the things that you need to think about is what is your acceptable risk gap? And what is your security gap? I'm sorry; it's acceptable risk versus a security gap. And you'll find that if you give users too much control, and IT doesn't have enough control, you run into the security gap issue. You need to assess that effectively and know when you're crossing over into that, really, no-man's-land, where you don't want to be. That's a real problem area. So, bottom line, think about building an effective device diversity strategy. If you don't have one, it really is a recipe for failure within your organization.
Now why is security different? Many organizations think security is security is security. And in fact, to some extent, that's true, but mobile security is different than general security and PC servers and the like.
There are three components to evaluate from a mobile security perspective. One is data and creation -- that is, apps, vulnerability, what are you doing, malware, encryption, those kinds of things.
More on BYOD and security
Best practices for BYOD security
Then there is data at rest on the device. What do I do to protect that data on the device, both from being hacked but also from users just taking that data and putting it in inappropriate places? Like taking a customer list, for instance, and putting it in Dropbox, something you probably don't want them to do. And, finally, what about the data in transit over the network? The wireless network is relatively secure, but what about VPNs [virtual private networks] and getting into the corporate back end and the like? All of these components need to be addressed.
The other issue that you need to think about is what does failed security actually cost the organization? Well, it can be very expensive. This yellow box on the right talks about the risk. Five to 10% of notebooks are lost or stolen per year. Fifteen percent to 25% of phones are lost or stolen per year. Tablets are probably somewhere in the middle. So, we're talking probably 10 to 15% of tablets are going to be lost or stolen each year.
Now, we all know that the amount of memory available on these devices is growing dramatically, and each lost record costs $258 to mitigate, according to the Ponemon Institute. So, if you're losing only 10,000 records -- which really isn't that much if you think about it, it's not lot of data -- it will cost your organization $2.58 million to mitigate. So failure is not an option here, unless you've got lots of money that you don't mind spending. And, by the way, in some organizations, highly regulated companies, it could even mean jail time for your CIO or CEO if it's egregious enough.
So think about security, and think about why it's important and think about, perhaps, getting devices with some sort of security certifications, FIPS [Federal Information Processing Standards], etc. In many industries, that's absolutely critical. BlackBerry's got it; there are some Android devices that are coming out with it as well now. Windows Phone is moving in that direction. So think about what security and why security is different. Security is often underestimated; it's taken for granted in many organizations. You have to consider it, and you have to evaluate it for all platforms that you're going to support.
Watch part three of this webcast, in which Gold provides seven steps for mobility management.