Many companies have been attempting to adopt a BYOD (Bring your own Device) policy, but not many are quite so secretive about their information as the U.S. Army. A report by the military's inspector general said Army tech directors have not done an adequate job of securing commercial mobile devices, creating cohesive security policies or getting authorization for pilot programs, as required by the umbrella policy of the military branches. Failures like these, the report said, leave the Army vulnerable to a greater amount of cybersecurity threats.
J. Nicholas Hoover wrote on InformationWeek that the Army has been some of the most passionate advocates of mobile devices in the military, with CIO Mike Krieger saying that they are trying to push the envelope and move quickly into the BYOD era. However, the inspector general said in the report that there needs to be a more comprehensive set of policies for use of devices and removable media as well as better training of those planning on using mobile devices in the field.
"As part of the study, the inspector general visited the U.S. Military Academy and the Army Corps of Engineers' Engineer Research and Development Center, each of which has pilot and other mobile device efforts underway," Hoover said. "However, neither organization got CIO authorization to use or even in some cases to test a large portion of their mobile devices, which left the Army CIO unaware of more than 600 mobile devices actively in use."
There was also incomplete and inconsistent use of management software for mobile devices, the report found, with employees and soldiers alike storing personal and even sensitive data on these devices.
Wired.com said an inspection at West Point showed that 15 out of the 48 devices audited didn't even have passwords set up, a definite data security blunder. Assistant inspector general Alice F. Carey wrote in the report that if devices remained unsecured, malicious activity could disrupt Army tasks. Outside of passwords, the improperly used smartphones and tablets had potential to trigger data leaks and attract cybersecurity attacks, the report said, with many of the devices said to not be properly connecting while still gaining and storing sensitive information.
"Some of the data security failings are more mundane," Wired said. "Commercially purchased devices should be set up so the data on them can be wiped remotely, according to Pentagon regulations, but because of the lax requirements on configuration, two devices stolen from the home of an Army Corps of Engineers employee couldn't be remotely restored to its factory settings. (And again, don't bother reminding them that there's a bunch of data that stays latent even after a wipe.)"
VA stalls on BYOD as well
Going along with the theme of soldiers, Hoover reported in a previous story that the U.S. Department of Veteran Affairs, which has been planning on letting employees use their own devices, will not move ahead until they can resolve legal issues that exist. This is another stumbling block in a plan that has, thus far, been riddled with them across the entire U.S. government.
Acting VA CIO Stephen Warren said they still have not gotten a "clean read" on the legality of rights and responsibilities on dual use devices. He said the agency will be holding off on plans altogether until they can figure that out.
"I would hate to lay out false expectations for the department as to what [information it can get to, or to our employees in terms of privacy," Warren said, according to InformationWeek.
Consumerization News from SimplySecurity.com by Trend Micro