Responses to the #1 topic on IdeaScale, “Consumers dictate device usage, not IT,” indicate that MANY of you believe consumers will drive smartphone adoption in Higher Education, while the sentiment around the topic, “Get rid of the walls around your enterprise data,” indicates that quite a few of you believe that core university data should be accessible to smartphone users.
However, yesterday’s polls have shown that not even all of the attendees of yesterday’s webinar use PINS or swipe patterns on their smartphones. The inherent difficulties in entering a complex password on a smartphone increase the likelihood that users will rely on simple passwords, if any, to access their devices. At the same time, users are expecting access to more and more university resources through their smartphones, increasing the risk of a data breach.
Where does security fit into this picture?
In Thursday’s webinar, “Smartphone Privacy & Security, What Should We Teach Our Users?“, the speaker, Norman Sadeh, indicated that mobile users are three times more likely to fall for phishing attempts. That statistic implies that spear phishing against university communities, which already demonstrates more success than we’re comfortable with, will be even more effective against smartphone users. As we find ourselves more and more hurried, making quick decisions just to handle the ever-increasing stream of information flowing at us, we’re more prone to fall for these attacks.
I would guess that many of us who own smartphones are using them to access our university e-mail, if not other university resources. Most of us don’t have any control over whether someone may e-mail us private or confidential information. If our smartphones become the weakest link in protecting data, they will be targeted.
How many of us have misplaced our smartphones or left them sitting on our desk in an unsecured office? Have you left your smartphone in a taxi or on a shuttle bus?
Increased access to university data is a desirable convenience. Will we be able to get the right combination of security controls, user training, and policies in place to allow smartphone access without it leading to a security breach resulting in a notification event or embarrassment to the university? What kinds of security controls are you using to prevent this? What security apps do you recommend to your users?
Lots of troublesome questions. Where are the answers?
Co-chair, Awareness and Training Working Group
EDUCAUSE/Internet2 Higher Education Information Security Council
Policy and Awareness Analyst
Rochester Institute of Technology
Become a fan of RIT Information Security at http://rit.facebook.com/profile.php?id=6017464645
Follow me on Twitter: http://twitter.com/bwoelk
Follow my Infosec Communicator blog at http://benwoelk.wordpress.com
This blog entry is part of the EDUCAUSE Mobile Computing Sprint and is cross-posted at http://www.educause.edu/blog/bwoelk/SecureMobileanOxymoron/227983