Balancing BYOD and Security
I just wrapped up my most recent project, the InformationWeek 2013 State of Mobile Security Report, and it does appear that the desire to let employees use their own mobile devices for work is getting ahead of the systems that would ensure the security of corporate data and systems. The basis for the report is a survey of 424 IT professionals who are involved with mobile device management, policy development and/or security at their respective organizations. This is the second year we have done the report, and while the state of mobile security is improving in some areas, it doesn't seem to be improving fast enough.
It is clear that BYOD initiatives are forging ahead, as 68 percent of respondents (up from 60 percent last year) now allow employees to use their personally owned devices for work, while another 20 percent are developing a BYOD policy. That means 88 percent of organizations will soon be supporting BYOD for some percentage of their employees. However, when we asked the percentage of company-provided versus personally owned mobile devices accessing corporate email, we found that 60 percent were still company-provided.
User preferences in mobile devices is clearly shifting as well. Despite the fact that Gartner puts Android's worldwide market share at more than three times that of Apple's iOS, the iPhone leads in the enterprise with an average of 50 percent of the personally owned and 40 percent of the company-provided units; Android comes in second for total units with 27 percent of the company-provided and 34 percent of the personally owned devices. BlackBerry now represents 27 percent of the company-provided devices, but only 6 percent of the personally owned units. So while BlackBerry is singing the BYOD song along with everyone else, the virtual disappearance of the brand in the consumer market is being reflected in the small number of personally owned BlackBerrys.
After those three, things drop off abruptly. Windows Mobile represents 3 percent of the company-provided devices, and 2 percent of the personally owned units, and Windows Phone had 3 percent each of the company-provided device and personally-owned units. Symbian was 1 percent.
Our main focus was on security, so we also asked users to identify their top three mobile security concerns. "Lost/stolen devices" was far in the lead with 78 percent citing it followed by "Users forwarding corporate information to cloud-based services" (36 percent) and "Mobile malware in apps from public app stores" (34 percent). However, while our respondents had "concerns," they did not appear to be taking adequate measures to address them.
Protection for corporate data on mobile devices that go missing requires encrypting data on devices, having strong passwords to access it, device timeouts, and the ability to remotely wipe the data. Policies involving on-device encryption were all over the lot. My recommendation would be "Hardware encryption, period" but that was selected by only 13 percent of respondents, while the most often selected response with 51 percent was "Varies by device type, ownership or approved use;" multiple responses were allowed. Frankly, it doesn't matter who owns the device, security is still a core IT responsibility.
With regard to passwords we found that 55 percent required a password to access the corporate data and another 46 percent required a power-on password; again multiple responses were allowed. Some 34 percent used on device certificates and 19 percent required secure tokens, virtually the same percentages as a year ago. None of the more "exotic" authentication mechanisms like pattern recognition, biometrics, or facial recognition came close to 10 percent. Cellular call back systems like Microsoft's PhoneFactor scored a mere 3 percent. Some 36 percent reported using a virtual desktop solution like Citrix or VMWare for at least some of their mobile devices.
The real key to enforcing security policies is to employ a mobile device management (MDM) system. While 88 percent of organizations now or will soon be allowing BYOD, only 39 percent report having an MDM platform in place though another 33 percent plan to implement one within the next 24 months. Another 21 percent report using Microsoft's Exchange ActiveSync for basic policy enforcement and remote wipe capability. For 45 percent of respondents, the mobility policy allows users to bring in personal devices as long as they agree to follow certain policies; 9 percent allow personally owned devices with no restrictions at all. One axiom in security is "trust but verify," but this looks a lot more like "trust and pray."
The other glaring deficiency is in protection from mobile malware, particularly on the Android platform. McAfee reports it now has 50,926 mobile malware instances on file up from just 792 in 2011. Despite that, 42 percent of respondents do no malware scanning whatever and 35 percent scan for malware on at least some platforms - hopefully Android is on that list.
Having assisted a number of clients in developing mobile policy and security plans, I don't get the feeling that organizations are taking mobile security as seriously as they should be. While I understand the pressure to allow access to email and other corporate systems from users' preferred devices, it is important to recognize the potential security vulnerability that creates. We found that 45 percent of respondents didn't include mobile security in their general security awareness training or didn't even have a security awareness training program at all.
One of the biggest things working against us in this is that we haven't yet had a major security breach that was tied to a lost or stolen smartphone or tablet; we've had plenty dealing with laptops that have gone missing, or Mr. Snowden's notorious thumb drive. As a result, getting the budget for staff and systems to better secure this growing population of ill-protected mobile devices is a tough pull. However, one front-page story in the Wall Street Journal could change that - just pray the story isn't about your company.
Tags
Start YourCustomized Search
SOLUTION AREA
SOLUTION PROVIDERS
- 8x8 (40) Apply 8x8 filter
- Alcatel-Lucent Enterprise (50) Apply Alcatel-Lucent Enterprise filter
- AT&T (44) Apply AT&T filter
- AudioCodes (49) Apply AudioCodes filter
- Avaya (397) Apply Avaya filter
- Cisco (574) Apply Cisco filter
- Dell (11) Apply Dell filter
- Five9 (54) Apply Five9 filter
- Fuze (39) Apply Fuze filter
- Genesys (100) Apply Genesys filter
- HP (98) Apply HP filter
- IBM (171) Apply IBM filter
- Jabra (9) Apply Jabra filter
- Logitech (56) Apply Logitech filter
- Lumen (4) Apply Lumen filter
- Masergy (50) Apply Masergy filter
- Microsoft (766) Apply Microsoft filter
- Mitel (233) Apply Mitel filter
- NEC (128) Apply NEC filter
- Nectar (58) Apply Nectar filter
- Polycom (95) Apply Polycom filter
- Ramp (37) Apply Ramp filter
- RingCentral (126) Apply RingCentral filter
- Sennheiser (18) Apply Sennheiser filter
- Slack (13) Apply Slack filter
- Tata Communications (59) Apply Tata Communications filter
- Unify (186) Apply Unify filter
- Vonage Business (80) Apply Vonage Business filter
- Yealink (8) Apply Yealink filter
- Zoom (21) Apply Zoom filter
- Acme Packet (24) Apply Acme Packet filter
- Allworx (2) Apply Allworx filter
- Arkadin (22) Apply Arkadin filter
- Aspect (34) Apply Aspect filter
- BT (25) Apply BT filter
- CaféX (8) Apply CaféX filter
- CallTower (14) Apply CallTower filter
- Clarity Connect (10) Apply Clarity Connect filter
- Continuant (1) Apply Continuant filter
- Damaka (4) Apply Damaka filter
- Dialogic (5) Apply Dialogic filter
- Dimension Data (44) Apply Dimension Data filter
- Empirix (11) Apply Empirix filter
- Enghouse Interactive (17) Apply Enghouse Interactive filter
- Inference Solutions (9) Apply Inference Solutions filter
- IntelePeer (27) Apply IntelePeer filter
- IR (11) Apply IR filter
- Jive (21) Apply Jive filter
- Kurmi Software (21) Apply Kurmi Software filter
- Lifesize (33) Apply Lifesize filter
- Lightware (3) Apply Lightware filter
- Mavenir (6) Apply Mavenir filter
- Modality Systems (8) Apply Modality Systems filter
- Momentum (36) Apply Momentum filter
- Netfortris (5) Apply Netfortris filter
- NetSapiens (6) Apply NetSapiens filter
- NewVoiceMedia (31) Apply NewVoiceMedia filter
- Nureva (26) Apply Nureva filter
- NUWAVE (5) Apply NUWAVE filter
- Orange (32) Apply Orange filter
- OVCC (8) Apply OVCC filter
- Panasonic (18) Apply Panasonic filter
- PanTerra Networks (9) Apply PanTerra Networks filter
- ScanSource (21) Apply ScanSource filter
- SIPPIO (3) Apply SIPPIO filter
- Snom (20) Apply Snom filter
- Star2Star (8) Apply Star2Star filter
- StarLeaf (12) Apply StarLeaf filter
- Tadiran Telecom (2) Apply Tadiran Telecom filter
- TekVizion (9) Apply TekVizion filter
- Unimax (7) Apply Unimax filter
- Verint (41) Apply Verint filter
- Voice4Net (2) Apply Voice4Net filter
- VOSS (85) Apply VOSS filter
- Voxbone (14) Apply Voxbone filter
- West (28) Apply West filter
- XO Communications (3) Apply XO Communications filter
- Yorktel (17) Apply Yorktel filter
- Zultys (2) Apply Zultys filter
- 3CX (8) Apply 3CX filter
- ADDASOUND (1) Apply ADDASOUND filter
- Aerohive (1) Apply Aerohive filter
- Aryaka (1) Apply Aryaka filter
- Asurion (22) Apply Asurion filter
- Avnet (7) Apply Avnet filter
- Bandwidth (5) Apply Bandwidth filter
- Calabrio (5) Apply Calabrio filter
- Consilium Software (13) Apply Consilium Software filter
- Drum (5) Apply Drum filter
- ESI (6) Apply ESI filter
- Esna (16) Apply Esna filter
- Exinda (2) Apply Exinda filter
- EZuce (3) Apply EZuce filter
- GUnify (6) Apply GUnify filter
- Highfive (4) Apply Highfive filter
- Huawei (47) Apply Huawei filter
- Imagicle (3) Apply Imagicle filter
- IPCortex (1) Apply IPCortex filter
- KnoahSoft (1) Apply KnoahSoft filter
- KOVA (1) Apply KOVA filter
- Logmein (9) Apply Logmein filter
- Metropolis Technologies (4) Apply Metropolis Technologies filter
- Mutare (2) Apply Mutare filter
- NextPlane (27) Apply NextPlane filter
- Ooma (16) Apply Ooma filter
- Patton (11) Apply Patton filter
- Radish Systems (1) Apply Radish Systems filter
- Radisys (3) Apply Radisys filter
- Shango (1) Apply Shango filter
- SMART (163) Apply SMART filter
- Stack8 (1) Apply Stack8 filter
- Swyx (1) Apply Swyx filter
- TrueConf (4) Apply TrueConf filter
- UJET (13) Apply UJET filter
- Voximplant (3) Apply Voximplant filter
CONTENT TYPE
- BC Expert Insights Market (43) Apply BC Expert Insights Market filter
- BC Expert Insights Objective - Vendor Neutral (42) Apply BC Expert Insights Objective - Vendor Neutral filter
- BC Expert Insights Planning (15) Apply BC Expert Insights Planning filter
- BC Expert Insights Solution (12) Apply BC Expert Insights Solution filter
- BC Expert Insights Vendor (80) Apply BC Expert Insights Vendor filter
- BC Expert Insights Vendor Solution (145) Apply BC Expert Insights Vendor Solution filter
- BC Expert Roundtable (133) Apply BC Expert Roundtable filter
- Bcs Webinar (0)
- Bcs Webinar Registration (0)
- Best Practice (38) Apply Best Practice filter
- Buyer Guide (14) Apply Buyer Guide filter
- Case Study (29) Apply Case Study filter
- Executive Interview (145) Apply Executive Interview filter
- Expert Roundtable (450) Apply Expert Roundtable filter
- Guest Contributions (35) Apply Guest Contributions filter
- Multimedia (38) Apply Multimedia filter
- News Analysis (2081) Apply News Analysis filter
- Newsfeed Article (1303) Apply Newsfeed Article filter
- Newsfeed Article (1) Apply Newsfeed Article filter
- Thought Leadership (21) Apply Thought Leadership filter
- Vendor Collateral (211) Apply Vendor Collateral filter
- Vendor Resource Best Practices (24) Apply Vendor Resource Best Practices filter
- Vendor Resource Buyers Guides (2) Apply Vendor Resource Buyers Guides filter
- Vendor Resource Multimedia Content (4) Apply Vendor Resource Multimedia Content filter
- Vendor Resource White Paper (4) Apply Vendor Resource White Paper filter
- Webinar (13) Apply Webinar filter
- Webinars (7) Apply Webinars filter
- White Paper (64) Apply White Paper filter
MORE FILTERS
INDUSTRY
- Banking And Investment (800) Apply Banking And Investment filter
- Education (446) Apply Education filter
- Energy And Utilities (487) Apply Energy And Utilities filter
- Finance (12) Apply Finance filter
- Government (675) Apply Government filter
- Healthcare (482) Apply Healthcare filter
- Hospitality (180) Apply Hospitality filter
- Insurance (100) Apply Insurance filter
- Manufacturing (704) Apply Manufacturing filter
- Media/Publishing (422) Apply Media/Publishing filter
- None (43) Apply None filter
- Professional Services (745) Apply Professional Services filter
- Retail & Distribution (798) Apply Retail & Distribution filter
- Technology (1611) Apply Technology filter
- Transportation (110) Apply Transportation filter
Comments
There are currently no comments on this article.
You must be a registered user to make comments