Home & Office

IBM: Users not to blame for poor mobile security

Onus of securing smart devices should not be on employees and education-only method will not work, executive says, noting security of smart devices is becoming as important as PC security.
Written by Liau Yun Qing, Contributor

SINGAPORE--As more users bring personal devices into the enterprise IT environment, the burden of ensuring security of data and device should rest on the company, said an IBM executive.

In an interview with ZDNet Asia on Wednesday, Linda Betz, director of IBM IT policy and information security (CISO), said educating users on how to ensure the security of smart devices is not enough. Even for IBM's tech-savvy workforce, the education-only method is "hard" as the company has 400,000 employees spread across the world with many employees "coming and going", she said.

Betz, who is responsible for Big Blue's internal security, noted that she prefers automating "as much as possible"--especially at the endpoint and policy level. The alternative of having to manually enforce or update for a company of IBM's size "is impossible", she added.

According to her, chief information security officers are trying to keep up with the consumerization trend, where C-level executives and users are increasingly bringing personal devices such as smartphones and tablets into the enterprise IT environment. And while cybercriminals are currently more interested in attacking the PC platform, attackers are moving to target mobile devices, which means ensuring the security of mobile devices and PCs are equally important, Betz pointed out.

"Internally, IBM's view is that smart devices are just like the PC--data is just as important no matter what device it is on. We think that malware can be on either one of them and the threat factor has the same kind of security controls," she said.

Although there is greater fragmentation in the mobile operating system (OS) space than in the desktop world, Betz said this does not make managing desktop platforms any easier. She noted that many employees in IBM have preferred desktop OSes and the complexity of managing the security of desktop operating systems has grown as well.

Betz added that mobile devices are "in some ways" more risky than desktop computers as employees are more likely to lose their mobile devices.

That said, the burden of securing mobile devices lies with the company, said Betz. Data on mobile devices are just like any other data and the company has the responsibility to protect it, she said.

Betz added that in many parts of the world, a company is held liable for any breach of data if it has failed to think through and address data protection. "You have to go back [to the questions]: What kind of regulated data are you dealing with? How have you protected the endpoint and how are you allowing your employees handle that data on that device?" she said.

According to her, the information security department should be responsible for the security of mobile devices without having regular employees worry about mobile security. An employee's job is "to go out and do business" so he or she should not have to worry about security, she pointed out.

Craig Farrell, chief technology officer and IBM distinguished engineer for the global telecom industry, who was also present at the interview, agreed. "The device for me is a tool for the job. A tool has to do its job and if it gets in my way, it's a bad tool," he said.

Farrell also discussed the opportunities for telecom operators to differentiate themselves from their competitors in an increasingly competitive market. Telcos should not engage in price wars as this only commoditizes their services, he urged.

Instead, they should be looking at providing bundled content services by partnering with over-the-top players, he said. For example, if a telco partners with on-demand Internet video streaming companies such as Netflix or Hulu, it can provide a "very powerful bundle" which is unique to the company, he said.

Many telcos today view OTT services as opponents but Farrell noted that telcos' efforts to compete head-to-head with OTT services will be futile. Using Facebook-Skype's videoconferencing partnership as an example, he said that while a telco can try to build its own videoconferencing service, "Generation Facebook will use Facebook".

This strategy also applies to emerging markets because users leapfrog in their adoption of technology, according to Farrell. These users would want the same service as their counterparts in advanced markets, he added.

He added that telcos which want to partner with OTT services should treat it as a business negotiation and arrive at deals that can bring benefits to both sides.

Editorial standards