Mobile Devices Intensify IT Security JittersFormer TSA CISO on the Challenges Facing Mobile Security
"A lot of people are becoming more connected," says Titus, who's also a Unisys vice president and onetime CISO at the federal Transportation Security Administration. "They are leap-frogging into these smart phone technologies and tablet PCs."
People using smart phones and tablet PCs aren't aware of the lack of security when they are performing transactions online using these new technologies. "There is a false sense of security that they can perform the same transactions online that they could on a PC that might have a full-blown security software package loaded on it," Titus says in an interview with Information Security Media Group (transcript below).
The recent strand of breaches, including Sony and Epsilon, has affected consumer information and left a bad taste in people's mouths as far as respect and trust go. In order to maintain strong customer relations and meet the needs of an ever-changing IT environment, companies, government entities and financial institutions need to step up and provide software and services to their clients. "If I want to do online banking with you what kind of security can you offer me for my iPhone, Blackberry or Android?" Titus asks.
Financial institutions and merchants are going to have to come up with answers to such questions and offer elevated security to those people who want it.
In her interview, Titus discusses:
- How businesses can improve customer relations by offering free, security wares,
- The prospect of Congress enacting significant IT security legislation, and
- How the Unisys Security Index works.
The Unisys Security IndexERIC CHABROW: Before we get into the meaning behind the numbers in the Unisys Security Index, please take a few moments to explain how the index works and point out some of the highlights from the new survey.
PATRICIA TITUS: The Unisys Security Index is done twice a year and it surveys about 1,000 people. The one that we're going to talk about today is specific to the United States but we also do several other countries, and that information will be released later this month. What we attempt to do is a sampling of the pulse of what's happening in the United States. We keep the questions the same every time we do the index, sampling different people each time. And we add two supplemental questions at the end and those supplemental questions are the ones that change. Those questions can vary.
What we're attempting to do is raise awareness in several different areas about what's happening in the country and what citizens are feeling about their security, including national security, financial security, Internet security and personal security. Those are the four key areas that we focus on. What's unique about the security index this wave is we saw a drastic spike in concern in all four of those areas, which is unusual because since 2007 it remained relatively flat. Then last year in October we actually saw a dip. The sampling goes from one to 200, with 200 being extremely concerned. We saw it dip down to 136 at one point last year and the spike this year took us up to 164. That's a pretty drastic jump which was in all four of those areas we are focusing on.
CHABROW: With a significant statistical job, what's behind it?
TITUS: A lot of people are becoming more connected. They are leap-frogging into these smart phone technologies and tablet PCs. They've got it in their hands, they're carrying it on their hips, they've got it in their purse and they can be connected all the time and be aware of what's taking place across the globe. It's in their fingertips. We're seeing so much of an increase because people are becoming more aware using these smaller form factors and these mobile devices. It's giving them the freedom to be connected and see what's happening across the world.
CHABROW: Is concern about IT security the same thing as worrying about IT security?
TITUS: The difference between the two is people will worry about something or they'll be concerned about it. I don't think worry and concern are interchangeable. If I'm worried about something or concerned about it, I might actually want to do something about it and take some action. I think that's where we're seeing people raising awareness. If I'm going to use these smart phones or tablet PCs for shopping or online banking, what's the security that needs to happen between that device and the vendor that I'm going into to perform some sort of online transaction? There is a false sense of security that they can perform the same transactions online that they could on a PC that might have a full-blown security software package loaded on it. I think that's why we're seeing a raise in awareness. Internet security is now coming down to these tiny little handhelds that a lot of people don't realize don't have anywhere near the same security level that you would have on a laptop with a security package. I think the vendors are starting to address that but it's been a little bit of a slow role to be honest.
The Effects of BreachesCHABROW: That's interesting you talk about not having the same security as laptops or PCs. A survey was taken in February, before the breaches at RSA, Epsilon and Sony PlayStation became known, and a lot of those involved people using PCs. What impact will those breaches have on the confidence of Americans transacting business on the Internet?
TITUS: I think there are going to be some impacts and fallout from that and I wish we could do the survey today based on those events because I think it would be very different. I think that's going to chip away at the security and trust that the public has of doing business. I don't know that it will stop a lot of people until it happens to them. Unfortunately a lot of people read about things happening and don't think it's going to happen to them. What is the fallout from the Epsilon and Sony breach and are people going to hold their breath and wait and see what happens or are they going to proactively go and take actions? And are the institutions actually going to help people understand what protections they could put in place for themselves?
CHABROW: A lot of our listeners and readers on our websites are in banking and healthcare, for example. How should those organizations take your survey and what should they be doing about IT security?
TITUS: Some of our financial institutions are really starting to step up to the plate and offer services and software for their consumers and their clients. I think people are going to start looking and say, "If I want to do online banking with you what kind of security can you offer me for my iPhone, Blackberry or Android?" The financial institutions and merchants are going to have to come up with answers to that and maybe offer some elevated security for those people who either want it - or in some instances just offer it for free. I've seen a couple of banks starting to do that where they're offering free downloads of the software package. I think that people are going to look at that and say that's the financial institution I want to do business with because they're taking security seriously. It takes the worry out of my hands. People like to work with organizations where it's easy to interface with them. And if it's easy for me to go to my bank, have them give me a security package for free and I don't have to pay for it, I'm going to be okay with that.
Customer Relations: Steps Companies Can TakeCHABROW: My Internet service provider provides me with a security package from a named vendor. Is this a model that other organizations are going to have to look at, as you just mentioned, regardless of the type of business they're in if they have a certain substantial number of customers that they provided these kinds of security services for?
TITUS: That's the first step. I just don't want people to get a false sense of security because you and I both know that the minute you think you've gotten a half step in front of the bad guys, they figure out some other way around. I wouldn't want people to get a false sense of security that this is going to protect them 100 percent. But it's going to certainly take them to a place that they may not currently be at. It's going to elevate their security. There's still a lot of user responsibility as well. The consumers need to continue to educate themselves and our citizens about what's happening in the world.
There have been a lot of developments recently about enhanced hacking capabilities by using root kits, and things like that, which are not going to get caught by our security packages. Just to make sure people are clear it's not 100 percent, but you'll be better off than where you might be today - and I think that model absolutely has to change. This is something that our legislature should be looking at and taking on to protect their consumers. This is something our legislatures could look at and say, "Maybe we need to update some regulations here, like our PCI standards, and maybe start adopting these types of models into that legislation and regulation.
Cybersecurity LegislationCHABROW: Let's talk about Congress for a moment. For the past two Congresses, lawmakers have held hearings, debated and generally agreed that new legislation is needed to help strengthen the defense of the government as well as the national IT infrastructure. Yet no significant cybersecurity legislation has been enacted. One reason given is that lawmakers and constituents have not clamored for such change. Do you think that citizens will demand change and will the current Congress work to enact significant IT security legislation?
TITUS: I'm cautiously optimistic that something is going to happen this year. I think comprehensive cybersecurity legislation is difficult to do because the threat changes so frequently. It's certainly an excellent opportunity to provide guidance to those people that need it. I don't know that our constituents are screaming for it yet. I hope that there is more movement toward that. We have to determine where some of this responsibility lies. Is it the consumer of these technologies that they're using to get on the Internet? Is it the manufacturer of the devices offering security defaults versus the way you currently get it? There is very little security, like a four digit PIN code maybe. It's not necessarily easy to navigate through these smaller devices to be able to turn security on.
I think we need to look at where our responsibility lies and see if we can't offer our legislature some ways to help influence what's happening. Let's offer more security on these mobile devices and let's see if we can't help drive some changes as consumers, let alone as citizens clamoring to the hill to say they have to create some legislation. We might be able to do it through people speaking out and saying, "I'm going to do my banking with this bank because they offer me more security." Obviously that's going to help change the marketplace, and it might be a better way to go about some of this rather than expecting legislatures to write laws that might change very quickly. And that's also been a problem that they have. Where do I target first? It's a pretty big field of opportunity. There's a lot of work to be done on everybody's part to be honest. I'm very cautiously optimistic that something will get done this year. I'm just not sure what it is.