My friend Mike Rothman posted a link to an InformationWeek article on “Securing Rogue Mobile Devices.” The article makes a number of sensible points about what kinds of security strategies you should be employing with employees who are carrying their own mobile devices. That said, I have a few problems with the general perspective and tone of the article:
- “Rogue devices” is a misnomer. Do you discipline employees who don’t wear company schwag for wearing “rogue clothing”? Of course you don’t. These are personal choices employees make — forget about the device and focus on the data (which can be leaked even on so-called “approved” devices).
- Users won’t accept “complex passwords” on phones. An alleged best practice is to force employees to keep their phones locked using long, randomized passwords that change frequently. As annoying as this might be on PCs, on mobile phones it’s downright crazy-making. As I point out in my pending report, “Sizing the Mobile Identity Opportunity,” the form-factor of phones is simply not suited to the keyboard-oriented password strategies we’ve become accustomed to on PCs. The PIN is a better model, albeit less secure. Android’s Etch-A-Sketch-like scribbling metaphor (draw a picture to unlock the phone) is probably the best one I’ve heard of yet. Look for more innovation in this area in the future.
- Employees are not a “threat.” Of course, sometimes they make mistakes, like leaving their phones in taxicabs. But the cure for this is a mix of encryption and remote device wipe. In the future, this will exactly resemble credit card deactivation — a phone call to your carrier turns the phone into a brick. Compare and contrast the panicky language of articles like this (the employee is a threat) versus what we hear about credit cards. When was the last time a credit-card carrying consumer was called a “threat”? (And no, testimony from Ben Bernanke about them not spending as much doesn’t count.)