Who's to Blame for Mobile Device Breaches?

Untitled Document

The rate at which mobile devices are proliferating is staggering. According to a recent white paper by Harbor Research, there are approximately 2.8 billion mobile phones in use today, with 1.6 million new ones added every day. And that's just phones. Analysts tell us within 15 years, the Internet will need to accommodate over one trillion (with a T) non-PC devices.

Whether you call this phenomenon "the network of devices" or "the Internet of things," the underlying message is the same. Connectivity now encompasses everything from TVs and cell phones to cars, medical devices, networking equipment, environmental controls, industrial sensors, aircraft and everything in between. Everything connected...ahh, how nice. Well, maybe not.

Swift consumer adoption is driving mobile market growth, but it is also increasing complexity and security risks. Managing the personal and enterprise interface with the Internet is becoming tremendously more complex due to the number and diversity of devices connecting to it, and the new types of content we're sending across the Web. These days, non-PC devices connected to the network are exposed, from day one, to advanced polymorphic malware and viruses that can infiltrate a device without the user ever knowing it.

Everyone agrees that security is a big concern, but who's accountable after a security breach? Is it the consumer who inadvertently downloaded a virus? Is it the device manufacturer who didn’t bother to build device security into the product from the start? Or, is it the fault of the service provider or carrier whose network the data moved across?

Unfortunately, when it comes to security, the "connected devices" industry has not outlined a best practices approach. That's probably because of all the devices that connect to the Internet, only workstations and cell phones are really represented, as classes, by manufacturing consortia. That means security design decisions are typically made on an ad-hoc basis and different approaches are used for different products. Sadly, security is often added into devices only after a high-profile breach gets splashed across the Internet.

I'd posit that device manufacturers have perhaps the most responsibility -- and the most control -- over the security of their devices. They also have the most to lose if they get it wrong. Customers experiencing problems call the company whose logo is on the device, regardless of who wrote the software running on it. So when devices suffer security problems, support calls increase, devices get shipped back for troubleshooting, and device manufacturers get stuck with the blame.

Unfortunately, many device manufacturers have an incomplete security approach or refuse to acknowledge that it is "their problem" at all. Designing and budgeting for security at the right time, early in the product design cycle, is often viewed as unnecessary by manufacturers. However, this stance is shortsighted when the cost of supporting a device over its entire useful life is taken into consideration. The damage to customer confidence and brand equity caused by devices that are compromised is substantial. Additionally, security breaches through incomplete device defenses routinely impact shareholder value for device manufacturers -- just take a look at the news.

Device security isn't easy for manufacturers. Most security packages are designed for PCs, not devices, and common security protocols like SSH and SSL can be difficult to squeeze into the small memory and processor environments of many devices and controllers. Casually implemented security on devices can deliver big performance hits and eat through valuable battery life. But good, fast, small security solutions specifically designed for embedded device environments are out there.

The embedded device manufacturer's approach to security affects service providers and enterprises as well. Service providers consistently strive to deliver first-class consumer experiences, and the potential for compromised devices connecting to their networks (and spreading infections) represents a substantial exposure. Service providers, carriers and service provider vendors such as Google, Apple and AT&T want to be able to offer enhanced, revenue-generating services that enable people to transact and consume valuable content online. If there’s a loss of confidence in the device’s ability to leverage those services, people will switch platforms -- or providers -- instantly. For commercial concerns, improperly secured devices pose significant risk to the entire enterprise, with huge negative implications for customers, partners, and ultimately shareholders.

To address the device security challenge and maximize the potential of "the Internet of things,"everyone -- device manufacturers, service providers and enterprises -- must assume responsibility for security. And we must recognize the need to centralize and standardize how device security is dealt with on all devices, wired or wireless. We need to take a more holistic security approach and apply an extensible framework that secures all aspects of device data access and communication. Securing devices is an industry imperative -- doing it the right way will pay for itself multiple times over in our increasingly connected world.

About the Author

Adrian Turner has more than 15 years of international business experience. Prior to founding Mocana, Turner was responsible for West Coast Business Development and Alliances for Kenamea, an enterprise communication firm specializing in reliable, secure communications. He also had P&L responsibility for developing infrastructure to support Philips Electronics' (NYSE:PHG) connected consumer and business devices. Prior to that in 1996, Turner launched the world's first network of 225 coin-operated Internet kiosks in the Australian market. Turner holds a business degree in Marketing and Finance from the University of Technology in Sydney, Australia, and has completed the Executive Program for Managing Growth Companies at Stanford University. Turner is also Vice Chairman of Australia's leading international expatriate network, Advance (http://www.advance.org/).

More by Adrian Turner

About Mocana

Mocana securely enables Internet-scale applications and services for connected devices. Mocana's industry-leading infrastructure software solutions ensure that wired and wireless devices, networks, and services perform and scale with the utmost security—a necessary foundation for a networked society. Customers include Philips, Dell, Cisco, Nortel Networks, and Honeywell among others. Winner of the 2008 Frost & Sullivan Technology Innovation of the Year and 2008 Red Herring 100 Top Tech Startups in North America awards, Mocana was founded in 2004, is privately-held, and is headquartered in San Francisco, California. For more information, visit www.mocana.com/evaluate.html.