Mind the HUGE Gap: The Key Difference between Securing Mobile Devices and PCs



It is generally accepted that mobile operating systems were developed with more security in mind than their desktop counterparts. It took Microsoft quite a bit of time to plug security holes in Windows due to design decisions made in the early 90s, and even then they had to tear up the manual and start from scratch with Windows Vista (in 2006).

So why is it that with these more robust mobile platforms, we are constantly being warned about the security risks to our enterprise data? The answer is actually much simpler than you think.

The Threat Posed by Apps

Excluding complex targeted attacks, the threat against PCs is, dare I say, under control. Attempts to infect standalone computers need to make it past all of the network defenses and even then once a computer is “owned”, exfiltrating information would have to once again make it past yet another gauntlet of Data Loss Prevention (DLP) countermeasures and logic gates.

In the mobile space on the other hand, the beast we have to contend with is completely different. Before a user has even set the correct timezone on their new smartphone, they’ve already downloaded their first app. A conservative estimate puts the number of revolving applications on a device at any given time at 30 (Nielsen). These applications don’t have to be malicious to cause substantial damage to a business; the fact is, most of them were not developed with the security, privacy or the business in mind for that matter.

Corporate Poll: Ask your users how many applications they have personally installed on their corporate smartphones vs. their corporate PCs.

Most mobile applications will mine your device for marketable information, back it up on 3rd party cloud servers where it’s cheapest to host, and resell it into a data brokerage industry with very little regulation. So ask yourself these three questions:

  • Is that a place where you want your corporate assets to reside?
  • Is that what your customers expected when they handed you their information?
  • By allowing these apps access to your data, are you in breach of data protection laws?

The Mitigation

In the PC space, digital defenses are a known quantity. They have developed and matured over years and most organizations have access to endless best practices and well-seasoned consultants allowing them to establish a fairly-robust defensive posture.

But the speed at which mobility has become the primary way businesses store and transfer data is a cautionary tale. We no longer have the luxury of reacting to a slow adoption curve.

On mobile devices, there is a thriving industry of Enterprise Mobility Management (EMM) vendors. As with all new industries, there are a lot of snake oil salesmen; it will take time to thin the herd. But the bigger issue is that most enterprises simply have neither adopted these solutions nor do not configure them with nearly enough vigor.

The HUGE gap that exists between the wall we’ve built around our traditional computers and the one around our mobile workforce is truly staggering.

Being required to make things work and make them work NOW cannot come at the expense of your data integrity, and in turn, your organization’s solvency. In the construction industry, being required to build a structure faster doesn’t mean it’s any less horrifying if the building collapses a few months later.

The good news is that there is a lot you can do to protect your mobile wealth. Regardless whether you’ve embraced a Bring Your Own Device (BYOD) policy or whether you prefer to own your own assets (CYOD/COPE: Choose Your Own Device / Corporate Owned Personally Enabled), there are products that can segment corporate assets from everything else, protecting your data from greedy apps, distracted users and malicious attackers. All that is needed is the will to build a proper wall.

Just one last piece of hard-earned advice: The traditional approach of applying security at the expense of all else is no longer an acceptable or even needed approach. Today, you can have all the security you desire applied to corporate data that shares the same device with a litany of personal apps. You no longer have to compromise and balance, the user can have their unmitigated freedom, and you can maintain your unwavering policies. This is what the modern architecture on mobile platforms affords us.

Just remember, it doesn’t really matter how sturdy your front door is if you don’t bother locking it.

About Nader Henein

A staunch advocate of Data Protection and Privacy, Nader brings over two decades of tactical experience in the architecture, development and management of secure, scalable systems. He has worked in a wide range of organizations from startups to multinationals allowing for both depth and breadth of experience focused on enabling business without compromise of corporate security or individual privacy. Today, his role hinges on providing solutions to current challenges faced by BlackBerry’s strategic customers in banking, governance, security and beyond.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus