How to Cover Your Ass When Your CxO Refuses to Use a Passcode on His/Her Mobile Device

In an earlier article, I wrote that Yahoo CEO Marissa Meyer doesn’t lock her phone with a passcode. She’s breaking a cardinal rule of corporate smartphone IT, and she’s not alone. I’ve talked to a number of executives during consulting sessions, asked for shows of hands at speaking gigs, and simply asked people at meetings over drinks if they lock their phones with passcodes, and a lot of them simply don’t. Even those who use passcodes often go with terribly simple, easy-to-guess ones like this one from Spaceballs:

The story has stayed pretty much the same over the past couple of years, according to various surveys:

• Over half the respondents to a 2011 survey by Confident Technologies said that they don’t use passcodes to lock their mobile devices.
• In a 2012 survey conducted by ESET and Harris Interactive, 66% of the smartphone users and 90% of the tablet users who responded did not lock their devices with a passcode.
• 36% of the respondents to a 2013 global study conducted by McAfee and One Poll said they lock their mobile devices with a passcode.

It’s the classic trade-off of security vs. convenience, or as Meyer puts it: “I just can’t do this passcode thing 15 times a day.” It’s annoying, and a lot of people see security measures as just another way that the IT department’s role is to obstruct anyone from getting anything done with technology, as shown in this Dilbert comic from 2007:

A number of people store their passwords in the “Notes” app on their mobile device, but the number source of information leakage is the smartphone’s killer app for execs: email. You can find out a lot about a company through an employee’s email, and the high-ranking the employee, the more valuable the email is. A number of companies — some you’d never expect — hinge all their planning on a handful of spreadsheets that get emailed around between a small group of high-ranking people; I’m aware of at least one Fortune 50 company with a division whose finances hang from a single emailed-about spreadsheet (which often goes “out of sync” because different people often edit it at roughly the same time). Email, accessed through a stolen phone, can prove to be the keys to the kingdom.

Someone from Yahoo’s IT department probably had the unenviable task of trying to suggest to Meyer that she lock her phone with a passcode. Perhaps s/he even cited the relevant line in Yahoo’s IT policy. I’m gld I’m not that person.

It sounds as though Yahoo’s IT department will breathe a little easier once she gets an iPhone 5S, which sports a fingerprint reader in its Home button. Like any other authentication system, it isn’t perfect. The “gummi bear hack” of 2002, in which fingerprint sensors were fooled by fingerprints embedded in gelatin in a reasonably well-known trick that’s been effective at countering previous generations of fingerprint readers. There are conflicting reports on whether or not it would fool Apple’s sensor, which was designed by AuthenTec, one of Apple’s 2012 acquisitions. At this point, flawed or not, I’m sure that Yahoo IT are counting the days until Meyer gets her new phone.

One of the realities of office life is that the “C-suite” and any other employees with a certain rank or “pull” at the company will be exempt from the rules that apply to the rest of us mere mortals. When these exceptions concern IT security, the best you can hope for is to limit the consequences of a security breach and make sure your ass is covered. Here are my suggestions, culled from actual practice at real companies where I’ve either pitched or done some mobile device consulting, if you’re dealing with an exec who refuses to use a passcode to lock their smartphone or tablet:

1. Try to sell the executive on doing the right thing and using a passcode. This is a little easier if there’s at least another person at the same level who does, a little more difficult if everyone’s ignoring the rules. You can attempt to cite things such as the recent ZDNet/Cisco/BT survey, in which they report that one-third of the organizations who responded have already experienced a security breach as the result of the loss or compromise of an unmanaged, unprotected, unsanctioned device.
2. If they refuse to use a passcode, be sure to enable mobile device management (MDM) on their device and get remote wipe capability. You want these whether or not the executive uses a passcode, but when they’re going around with unprotected devices, the “nuclear option” of remote wipe is your only line of defense should the phone get lost or stolen. Since many people’s mobile phones are also their primary cameras, and since many people also use them as photo albums for pictures that they somehow fail to back up, you may want to look into “containerization” or “selective wipe capability”. The last thing you want to be is the object of an executive’s wrath because you wiped out the only photos of his first child’s first steps. An effective way to “sell” remote wipe capability is to just say it’s part of MDM, which will allow you to configure their email/calendar/contacts access, sparing them from having to do that.
3. Try to get them to sign a waiver saying that they were advised of the risks and take full responsibility for the consequences. I’ve seen companies do this not just for execs who refuse to use passcodes to lock their mobile devices, but also for execs who use devices that IT is not ready to support or secure, such as the iPad in its earliest days.