BYOD 'kill switches' offer false security

Industry Insider by Jeff Rubin
Tools

Now, don't get me wrong--I think the recent [California] legislative push to require a "kill switch" in mobile phones is great. Kill switches allow mobile users to permanently disable their phones when they're stolen or lost, rendering the phone completely useless for would-be thieves who might want to sell the phone, or, if applicable, the data on it.

Many of us feel a tad uneasy walking around with our whole lives in our pocket in the form of that highly connected little rectangle. The kill switch would do much to alleviate this by diminishing the reward for those bad guys that walk amongst us. (And I live in San Francisco, where two thirds of all robberies are mobile phones.)

Some companies--which likely includes many SMBs on relatively tighter budgets--may view the kill switch as a convenient shortcut to a data security solution on employee-owned devices. It's tempting, then, to think that the kill switch would obviate the need for a complicated bring-your-own-device data security policy.

But the kill switch isn't the panacea it might appear to be, even if it is widely adopted by mobile phone manufacturers. (Apple's iOS 7 operating system incorporates a kill switch; a recent effort by the California legislature to require all mobile-phone manufacturers to implement it fell just short, but a new version is making its way through Sacramento and national legislation is coming soon.)

Why does a kill switch fail to address BYOD security? Because, for all of its societal goodness, it doesn't really address the actions and incentives of an individual employee who has his company's data in the palm of their hand.

Remember, the company won't have control over the kill switch. That just will not happen with an employee-owned device, unless a business is looking for a mutiny. Rather, it will remain in the hands of the device's owner--the employee.

While a company's data security team could surely be trusted to disable a device the second they knew there was a chance it was lost or missing, employees are likely to act much slower, waiting until they're sure the device is gone for good before opting to put it out of commission. And by that time, it's probably much too late to protect sensitive data from mischievous eyes.

So, while companies may control the kill switch on devices they own making it perhaps a useful security feature on corporate devices, it is inapplicable to the BYOD environment.

Likewise, the kill switch also doesn't solve the problem of securing data on devices used by contractors. Once a contractor leaves the company, the corporate data stored on her device is entirely in her hands--and outside the company's grasp.

As far as the enterprise is concerned, therefore, the kill switch looks a lot like a baby blanket (bear with me here).

The implementation of the kill switch in mobile devices shouldn't harm companies, but it may lull them into a false sense of security--causing them to forego existing tools that are actually much more effective.

For example, while the kill switch would allow a company to disable a device entirely, containerization allows the company to wipe only the portion of the hard drive on which corporate data is stored--leaving both the employee's personal data and the device itself intact. Employees, you could then reason, will be much more likely to report misplaced or lost devices if they know that only their work files are at risk for immediate remote quarantine or deletion.

Oftentimes more flexible encryption and automatic security features are sufficient to the BYOD dilemma, such as a programmed device shutdown in response to a string of invalid login attempts, or when the device goes outside of a pre-determined radius.

Businesses also need to remember that mobile devices aren't limited to phones. Tablets and laptops move with employees and are likewise prone to falling into the wrong hands. And no kill switch has been proposed to work on these devices (tablets have been excluded from the newest California legislation).

It's possible that SMBs could be most susceptible to counting on the kill switch as its cost-effective solution to BYOD security, since their budgets and resources tend to be smaller. But, while they might not be able to develop a BYOD data security strategy from scratch, plenty of managed service providers help with the employee device problem, providing things like monitoring, reporting and encryption.

If and when the kill switch is widely adopted (and I hope it is), phone thefts should diminish. (San Francisco would presumably revert to laptops or bicycles being its most-stolen item.) But businesses cannot rely on the kill switch to do the dirty work of data security in the ever-growing BYOD landscape.

About the author: Jeff Rubin is co-founder and vice president of product strategy at Beachhead Solutions, a company that designs cloud-managed mobile device security tools.

For more:
- see the CNET article on California kill switches

Related Articles:
California's mobile device kill switch bill rides again [FierceMobileIT]
Bill to mandate phone kill-switches dies, but industry rallies anyway
Kill switches could save consumers $2.6 billion, study says [FierceMobileIT]