There is often talk of the growth in mobile threats and, in 2011, we saw significant growth, in terms of volume as a percentage. Yet, as a total of the numbers involved, these were still relatively small – in the thousands, rather than hundreds of millions that unleashed themselves on the PC last year.
At the same time, we did see far greater innovation in the nature of mobile threats, with attackers focusing in on finding vulnerabilities to exploit, such as the botnet concept, as well as where money can be made and information stolen through smart devices.
So what is the right way to manage that threat and soften its impact?
Let me start by looking at process – and please bear with me as I do. In the past 10 years, the cost of a laptop computer has plunged by a massive 90%, while already it’s predicted that the price of smartphones will drop by a third over the next couple of years alone. In fact, there are examples of big falls this year already: take RIM, for example, down 26% on some of its devices.
Right. So you’re probably wondering why I’m talking about device costs here and my underlying point is this – might it just be the case that we’ll soon reach the tipping point where the diminishing value of the device means, quite simply, they’re just not worth protecting. Don’t get me wrong. I’m not suggesting we no longer need security. The question is: what are we actually trying to achieve?
When I started at Dr Solomon’s in the early nineties, recovering from a virus on a PC was a significant event. At that time, imaging was not common and backups were poor, so systems would be built again from the ground up and data could be permanently lost. The upshot was that we sold anti-virus to mitigate the cost and effort in recovering from the infection.
With a modern smartphone, it’s a whole different ball game. I can either reset the device and, in most instances, the apps installed, and increasingly the data will be resorted through services such as iCloud. Equally, in this increasingly disposable world, smartphones typically now have a life span of between 6-to-9 months from a manufacturer’s stance, with most provider contracts being around a year to 18 months. That being so, has the device simply become the disposable shell that can be reset or replaced more quickly and cheaply than actually solving the infection/attack?
With all this in mind, I look at our existing security and wonder if perhaps this is the right approach to take, going forward. If you can agree that the device is becoming ever more a disposable item (albeit recyclable!) – and that it’s quicker to reset and recover, rather than repair – what is it exactly we need to secure?
In the world of Social Mobile Cloud (SoMoCo) and information explosion, it would seem to be that the two factors most pivotal are managing the integrity and confidentiality of the information we have and use. The throwaway nature of the smart device and the resiliency of the cloud go a long way to ensuring availability. That being so, the priority is more about keeping the information – rather than the device itself – up and running.
What does this signify in practical terms, though? For me, it means that security needs to get much closer to the information. Let me explain. Looking back over the last two decades, security started in the operating system, then broadened out in both directions – into the network, and up into the application and session layers. True, we still need to innovate with concepts such as security in the hardware, but, logically to me, the future is all about that greater security-information alignment.
To achieve this, there has to be better, tighter integration with the vast array of information structure types. Just take a look at the likes of Google, which is perceived to be the leader in Internet information management. Recognising the significance of security at the information level, it has dug into its (admittedly deep) pockets and made a number of security acquisitions. If Google is taking this so seriously, it should be a timely reminder to the rest of us: information is power and you can’t afford to let it be jeopardised or slip through your fingers.