This month, the Department of Veterans Affairs will begin allowing iPhones and iPads on their networks. The move underscores CIO Roger Baker’s commitment to providing employees with the tools and technologies they deem necessary to get the job done.  The effort is being watched closely by other agencies and departments, and is symptomatic of a new trend in IT, where technology adoption is led by employees first and enterprises second.  Unfortunately, the explosive growth of mobile technology – particularly in the area of smart phones and tablets – not only provides a proliferation of new and exciting tools, it also represents a potentially serious security concern. 

There is an inherent risk in pushing data to mobile devices, especially when those devices increasingly function as mini-computers.  Today, smart phone marketplaces like the Apple App Store and Android Marketplace offer consumers a place to purchase a slew of productivity, entertainment, and media applications.  In fact, it’s been suggested that today’s App Stores are the most vibrant application marketplaces in computing history.  But with the ability to run applications also comes the ability for malware, viruses, and other malicious software to compromise user data, hijack computing power, or even conduct surveillance.  According to the 2011 mobile threat analysis by McAfee, mobile malware has doubled since 2009, with the threat landscape for smart phones mirroring many of the same pitfalls as PCs. 

And no mobile platform is completely secure.  A German researcher this year exposed serious security vulnerabilities in mobile operators, including T-Mobile and Vodafone.  Using only a standard handset and free applications, the researcher was able to decrypt data off of cell networks and read the incoming and outgoing messages of other users.  The weak encryption used by many cell phone operators is more often a product of necessity than one of neglect, since encryption can hamper their ability to monitor and manage traffic.  At the same time, it represents an active security vulnerability for mobile users. 

So what are agencies to do? 

1.       Apply the basic principles of application security.  While the architecture of mobile devices – and the way they access the network – may be different, agencies should apply and enforce the same principles governing their use. 

2.       Integrate security early.  As agencies begin to develop mobile applications or look to welcome new platforms to their infrastructure, they should ensure that security is a top priority from day one.  Understand the threats that could compromise your network before deployment.

3.       Recognize that a smart phone is not a laptop.  Mobile devices are a new brand of computing, and as such they may require agencies to revisit security controls such as encryption and access control.

4.       Embrace the differences.  Sometimes mobile devices have built-in security that’s worth cheering about.  When a government laptop with the sensitive data of 26.5 million citizens was stolen in 2006, agencies began looking for new software tools that could locate and remotely wipe devices in cases of loss or theft.  Today, devices like Apple’s iPhone have these capabilities built-in – providing agencies an extra layer of defense.  Similarly, the move towards cloud computing being led by Google Apps greatly reduces local data stored on the device.

5.       Educate users on mobile vulnerabilities.  A little goes a long way in reminding users that their smart phones are vulnerable to security threats, just like every other computing device.  Greater consciousness can lead to more responsible decision making in the applications users download and the data they transmit.

The move by the VA is encouraging and should provide a valuable case-study for other agencies that have been eager to adopt mobile technologies.  As they do, it’s important to remember that the world of mobile is still in its infancy – the iPhone was first introduced only four years ago, and the App Store didn’t launch until a year after that.  Much of the security infrastructure is still developing, but that doesn’t mean agencies should wait another decade.  Like the embrace of cloud computing, the benefits of mobile technology may outweigh the risks – but smart precautions can mitigate vulnerabilities and increase the adoption of these transformative technologies.