SURVEY: MOST TOP U.S. COUNTIES VULNERABLE TO SAME MOBILE DEVICE MANAGEMENT SOFTWARE PROBLEM PLAGUING SAN BERNARDINO IN FBI/APPLE BATTLE OVER ACCESS TO CELLPHONE OF ACCUSED TERRORIST
IAITAM Finds Few Major Counties Confirm Requiring Across-the-Board Installation of MDM Software on Cell Phones, Tablets Provided to Employees; 2nd Survey of Wider Universe Finds Much Tighter Practices on MDM Software.
WASHINGTON, D.C. & CANTON, OH.///March 15, 2016/// A survey of the IT departments of 50 top U.S. counties finds that, while most of the government entities provide mobile devices such as cell phones to employees, fewer than half confirmed that they use “mobile device management” (MDM) software, and only about a quarter of the total verified that they require the MDM software to be installed across all county departments. Those International Association of Information Technology Asset Managers, Inc. (IAITAM) survey findings suggest that many U.S. counties could be vulnerable to their own version of the current impasse between Apple and the FBI over accessing a suspected terrorist’s cell phone provided by San Bernardino County, his employer. A separate survey by IAITAM of 177 companies, trade association and government agencies found more than nine out of 10 respondents (92 percent) provide mobile devices to employees, almost three out of four (72 percent) have MDM software in place, and seven out of 10 (70 percent) require installation of MDM software across all departments. A chart detailing the results of the IAITAM survey is available online at http://tinyurl.com/MDMwidergroup.
Available online at http://tinyurl.com/MDMcounties, the phone-based survey of 50 of the nation’s 100 largest counties shows:
- 43 counties provide mobile devices to employees versus seven that do not.
- Of the counties providing mobile devices to employees, 20 have MDM software, nine do not, and 14 counties either did not answer or were not sure about the answer. Top U.S. counties providing mobile devices to employees without MDM software including Harris, Maricopa, Tarrant, and Broward counties.
- Of the 20 counties with mobile devices/MDM software, 9 require it to be imposed across all departments, 2 do not, and 9 either did not answer or were not sure about the answer. The lack of awareness of such a policy on the part of county IT Departments is considered by IAITAM to be equally as troubling as an affirmation that MDM software is not required to be installed. Allegheny County in Pennsylvania and Fairfield County in Connecticut both confirmed that, like San Bernardino County, they do not have uniform policies for installing the MDM software available for county-owned mobile devices provided to employees.
Last week, IAITAM warned that thousands of US corporations, national government agencies and state, local and city government units have the same kind of “sloppy and dangerous” approach to mobile device management (MDM) leaving them exposed to the problem in which San Bernardino now finds itself.
IAITAM CEO Dr. Barbara Rembiesa said: “We see this every day where government and private agencies hand out mobile devices to employees and then fail to install the simple mobile device management software that could keep the company or agency itself safe from attack and, as we saw in the San Bernardino incident, also keep our nation safe from attack.”
Rembiesa said: “The truth is most government agencies and corporations fall down on the job when it comes to Information Technology Asset Management (ITAM) in general. But mobile device management, including best-practice policies and application of MDM software, is a real blind spot.” “Some companies and government agencies think that all they need to do is focus on servers, desktop computers and laptops and that they can somehow ignore mobile devices, such as phones and tablets,” Rembiesa said. “However, these devices are every bit as much in need of ITAM as any other technology in the workplace. A sloppy and dangerous approach to MDM is an open invitation to theft, loss of data, breaches, and the kind of huge reputational damage we are seeing today in San Bernardino County. For a publicly traded company, this kind of error could be devastating.”
On the question of how may counties have across-the-board Information Technology Asset Management practices in place, 29 said they do, six said they do not, and 15 either did not answer or were not sure about the answer. The second survey of 177 companies, trade association and government agencies found that 55 percent have ITAM policies in place across all departments.
San Bernardino County is far from the only government agency with an embarrassing track record on mobile device management. In February 2015, IAITAM issued a report on federal government IT waste and mismanagement. At that time, IAITAM noted that the IRS was found in a 2014 IG report to be paying monthly service fees for almost 6,800 devices that were not inventoried (almost 17 percent of total devices, and almost $2 million per year in service fees). For more than 700 employees, the IRS paid for multiple mobile devices (between two and five) despite the prohibition against multiple devices. Nearly three out of five (57 percent) of mobile device inventory records were incorrect at an agency where 94 percent of employees are provided with a mobile device.
Apple and the Justice Department are currently arguing over the legality of unlocking the work-issued iPhone of the San Bernardino County employee and gunman, who is accused of being a terrorist. At the center of the legal battle is whether Apple can be ordered to provide a specialized software to allow the FBI backdoor access to the gunman’s phone.
San Bernardino County paid for the MDM software for its employee, but it was never installed. If a best practice MDM policy had been implemented – one requiring uniform installation and application of the MDM software — investigators could have remotely and legally unlocked the phone and thereby circumvented the legal dispute now underway.
The software cost San Bernardino County just $4 per device on which it was to be used. In an inconsistent approach to Information Technology Asset Management, San Bernardino County lacked an across-the-board policy requiring all departments to use the MDM software. Instead, departments were allowed to make their own decisions.
The International Association of Information Technology Asset Managers, Inc. (IAITAM) is the professional association for individuals and organizations involved in any aspect of IT Asset Management, Software Asset Management (SAM), Hardware Asset Management, Mobile Asset Management, IT Asset Disposition and the lifecycle processes supporting IT Asset Management in organizations of every size and industry across the globe. IAITAM certifications are the only IT Asset Management certifications that are recognized worldwide. For more information, visit www.iaitam.org, or the IAITAM mobile app on Google Play or the iTunes App Store.
Max Karlin, (703) 276-3255 or firstname.lastname@example.org