Thousands of US corporations, national government agencies and state, local and city government units have the same kind of “sloppy and dangerous” approach to mobile device management (MDM) that has led to the current impasse between Apple and the FBI over accessing the phone of a suspected terrorist, according to the Canton, OH-based International Association of Information Technology Asset Managers, Inc. (IAITAM).
IAITAM CEO Dr. Barbara Rembiesa said:
“My professional estimate would be that about a quarter to a third of government agencies and corporations are not practicing what I would call ‘safe mobile device management.’ We see this everyday where government and private agencies hand out mobile devices to employees and then fail to install the simple mobile device management software that could keep the company or agency itself safe from attack and, as we saw in the San Bernardino incident, also keep our nation safe from attack.”
Rembiesa said: “The truth is most government agencies and corporations fall down on the job when it comes to Information Technology Asset Management (ITAM) in general. But mobile device management, including best-practice policies and application of MDM software, is a real blind spot.”
“Some companies and government agencies think that all they need to do is focus on servers, desktop computers and laptops and that they can somehow ignore mobile devices, such as phones and tablets,” Rembiesa said. “However, these devices are every bit as much in need of ITAM as any other technology in the workplace. A sloppy and dangerous approach to MDM is an open invitation to theft, loss of data, breaches, and the kind of huge reputational damage we are seeing today in San Bernardino County. For a publicly traded company, this kind of error could be devastating.”
San Bernardino County is far from the only government agency with an embarrassing track record on mobile device management. InFebruary 2015, IAITAM issued a report on federal government IT waste and mismanagement. At that time, IAITAM noted that the IRS was found in a 2014 IG report to be paying monthly service fees for almost 6,800 devices that were not inventoried (almost 17 percent of total devices, and almost $2 million per year in service fees). For more than 700 employees, the IRS paid for multiple mobile devices (between two and five) despite the prohibition against multiple devices. Nearly three out of five (57 percent) of mobile device inventory records were incorrect at an agency where 94 percent of employees are provided with a mobile device.
Apple and the Justice Department are currently arguing over the legality of unlocking the work-issued iPhone of the San Bernardino County employee and gunman, who is accused of being a terrorist. At the center of the legal battle is whether Apple can be ordered to provide a specialized software to allow the FBI backdoor access to the gunman’s phone.
San Bernardino County paid for the MDM software for its employee, but it was never installed. If a best-practice MDM policy had been implemented – one requiring uniform installation and application of the MDM software — investigators could have remotely and legally unlocked the phone and thereby circumvented the legal dispute now underway.
The software cost San Bernardino County just $4 per device on which it was to be used. In an inconsistent approach to Information Technology Asset Management, San Bernardino County lacked an across-the-board policy requiring all departments to use the MDM software. Instead, departments were allowed to make their own decisions.