When choosing a passcode for that new smartphone, tablet or laptop, do you go with a four-digit PIN? Your mother's maiden name? The digits of your birthday added together, divided by 2 and combined with an exclamation point and your favorite pasta dish or character from "Friends"?
According to a Fiberlink Communications study of 1,000 clients representing some 200,000 endpoints in a wide array of industries, about 15 percent of those surveyed don't even have a password when they should have one. Of the rest, almost three of every four are taking the least strenuous path to compliance – a PIN of four or five characters.
In most cases, using a PIN is an ideal security fix. It's at the top of the list of "10 Quick Tips to Mobile Security," published in January 2012 by McAfee. But mobile device security is a particularly touchy topic in healthcare, where devices could contain or connect to protected health information, providing access to everything from healthcare histories to credit card and Social Security numbers. That's why that industry is at the top of the Fiberlink list in enforcing passcodes on its devices, with 97 percent "most likely to enforce a passcode policy."
But are they requiring enough?
"Corporations are trying to limit the complexity for their users," says Jonathan Dale, the Blue Bell, Pa.-based company's director of marketing. "Are they doing the right things to be secure? One would raise some doubt."
The Fiberlink study, covering roughly 20 percent of the company's 1 million-plus devices secured for businesses across the globe, found that 79 percent use a PIN, while 4 percent use some sort of alphanumeric code (letters plus numbers) and just 2 percent use a complex code that includes letters, numbers and special characters. Of those using a PIN, 74 percent are using a sequence of four or five characters, while 24 percent are using a sequence of six to seven characters and 2 percent are using one of greater than eight characters.
In other results drawn from the Fiberlink study, healthcare came in fourth place in the list of industries in which alphanumeric or complex passcodes are used, behind the public sector (18 percent), financial services (9 percent) and professional services (6 percent). Only 4 percent of healthcare devices feature those more secure passcodes.
'The problem may be that the more complex the passcode … the less useful the device will become," Dale points out.
Dale says Fiberlink is seeing a new trend that company officials expect to grow: Corporations are allowing simpler passcodes to activate the device, but more complex codes to do anything more. In other words, a user may need a simple PIN to turn on an iPad or tablet, then need another code to access programs or apps.
Organizations "are starting to become less concerned about the security needed to simply gain access to the device, but they are going to make it harder to access company resources," he says of the trend, which he calls "containerization."
In a recent blog on the company's MaaSters Center site, Fiberlink's Rob Patey called passcodes the "lowest hanging fruit" of enterprise mobile security solutions.
"Why is this troubling? i09 recently did a report showcasing a robot constructed for a paltry $300 that can crack these codes in just under 24 hours – and that’s a high-end estimate," Patey wrote. "Also, considering most people use repeatable digits on their phone or tablet, regular old human hackers can usually get into your smartphone in 10 tries or less."
In his blog, Patey said healthcare organizations should make sure those questions are answered in a mobile device management plan.
"Balance is the order of the day, a pragmatic marriage of user experience coupled with industry best practices. Regardless of what passcode approach you take in securing mobility, the automation of Mobile Device Management (MDM) policies is an essential element to standardizing a vast ecosystem of device types and operating systems," he said. "Furthermore, policies in MDM can help automate remediation workflows when a user locks themselves out of their device or decides to root/jailbreak a device in order to bypass passcode protection altogether. Warn, block or wipe are all at IT’s disposal depending on the severity of the infraction. Also, with MDM, IT gets a clear daily view, through their Watchlist, of which devices are passing passcode muster and which devices are still trying to pass on passcodes altogether."
Dale says he expects mobile device security will continue to evolve with the industry, eventually moving into the cloud and making use of biometric identification.
"Since 2010, mobile technology has continually changed at a rapid pace. It's going to continue to do that," he says.
Mobile device security is also the subject of an upcoming webcast sponsored by HIMSS and the SANS Institute, a Bethesda, Md.-based resource for computer security training, certification and research. The Sept. 10 webcast, titled "Practical Steps for Assessing tablet & Mobile Device Security," will feature James Tarala, a SANS senior instructor and security expert.
"While many organizations have begun including the assessment of mobile laptops in their audit plans, few have included comprehensive programs for assessing the security of tablets, smartphones and other mobile devices," Tarala said in a press release issued by the SANS Institute on the webcast. "While physicians and clinicians demand to use the latest gadget, oftentimes the security of the data used on the device is forgotten. Too many organizations have had to report data breaches as a result of improperly secured mobile devices and it is expected that this number will only go up."
