No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

MDM -- Get It Done!

Businesses that ignore the threats of privacy violations, insecure data storage, and insecure transport associated with the use of mobile devices are opening themselves up to losses, potential fines, and unnecessary liability, reports HP Security Research in its "Cyber Risk Report 2015."

In my previous No Jitter post, Implications of Socializing the Network, I discussed human latency issues affecting IT, and now it needs to be said that the core of IT worse practice is foot-dragging around patch and change systems and gear. This remains a key vulnerability, HP noted.

The Problem in Patching
Clearly, IT's resistance to patching and making changes indicates that many enterprises lack a comprehensive policy for these processes. The absence of strong policy has a paralyzing effect: Network and system admins don't want to stick their necks out on patch and change management because doing so heightens the risk of introducing bugs and other problems and creates unsettling results that could potentially wreck anyone's day.

Patch and change management leads to a huge variance in IT, and this in turn leads to disruption and loss. The reality is, software coding isn't ever likely to become defect-free. But, as HP pointed out, it can be improved through "a properly implemented secure development process that can lessen the impact and frequency of such bugs." Then, taking a more aggressive approach to patch and change management translates to lessening the severity of compromises when they do occur.

Mobile Trouble
This brings me to enterprise mobility, with mobile device management (MDM) getting a pass right now by many enterprises. My guess is that some may be taking a wait-and-see approach. In its cyber risk report, HP hinted that mobile security didn't become recognized as a real issue until 2014. So the message today for enterprise IT is: Don't wait on deploying an MDM solution because the threats increase in line with greater use of smartphones and the rise in the number of connected devices.

"Attacks often involve various layers of the device infrastructure. This could include applications running on smartphones or tablets, and on cloud services as well as the firmware and application layers residing on the host processor. Various vectors of propagation can also
be used, including compromised update files and exploited network and host processor communication layer vulnerabilities, as well as possible vulnerabilities in cloud service infrastructures and smart device applications."

Without MDM, enterprises are assuming risks and taking on unnecessary liabilities. IT must enforce better policies of what is acceptable and minimize the variance. How? Standardize on the apps and hardware then level the playing field with the same operating system and apps for all users. Remove the Wild West component of users deploying whatever they want to accomplish their work. Obviously, the app makers are not as concerned with security as they might be, as reported in my post, "Vulnerabilities Threaten Collaboration."

Enterprises must reduce variance. This isn't complicated but it can be challenging with BYOD policies left unchecked. Even in the BYOD space, acceptable corporate use and what IT is willing to expose is better than BYOD without MDM and an attitude of using BYOD to cut costs or corporate ownership of smartphones. Whether you allow BYOD or not, MDM is a required element and is not the end-all solution.

MDM is a get-it-done project -- the losses you could incur from not doing so are potentially far greater than you can imagine. HP makes another observation and that is, "By using all tools available and not relying on a single product or service, defenders place themselves in a better position to prevent, detect, and recover from attacks."

Follow Matt Brunk on Twitter and Google+!
@telecomworx
Matt Brunk on Google+