Mobile
12/4/2013
09:06 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Mobile Security Lags BYOD

IT is turbo charging BYOD efforts, but mobile security practices aren't keeping up with the growing risk in several critical areas.

Download this InformationWeek December 2013 special issue on mobile security, distributed in an all-digital format (registration required).

Company data residing on personal devices is a done deal. Tech pros realize how important mobility is to employee productivity, and they're supporting it, but too often their companies' security practices fall short of addressing the data risks that mobility creates.

Among the 424 respondents to our InformationWeek 2013 Mobile Security Survey -- all of whom are involved with mobile device management, policy development, or security at their organizations -- almost nine of 10 support bring your own device or are developing BYOD policies. That's good. But for mobile security:

  • Seventy-eight percent say their top mobile security concern is lost or stolen devices, well ahead of the No. 2 worry: users forwarding corporate data to cloud-based storage services (cited by 36%).
  • Forty-six percent require a power-on password as an authentication mechanism for mobile devices that access enterprise data or networks, and password standards are appropriately tough. But more should be backing up passwords with data encryption.
  • Forty-five percent let users bring in any device, and they let it on the network as long as the user agrees to certain policies. But too few are backing that up with steps such as robust mobile device and application management programs.
  • Forty-five percent have had a data loss within the past 12 months; 11% of them were required to disclose the loss publicly.

We've had time to get our houses in order. Sixty-two percent of respondents to our 2012 Mobile Security Survey allowed BYOD; that grew to 68% this year, with an additional 20% in the process of developing such a policy. We see where this is headed, right? However, only 41% of these respondents require users to run mobile device management software on those devices, essentially the same as last year. Almost half (45%) simply require that the user agree to certain rules -- a policy that's all trust and no verify.

There's a slight increase in companies including mobile in their security awareness training -- 55%, up from 50% last year -- with another 22% planning to add it. Yet that means that almost one-quarter (23%) don't address mobile security in their training and don't plan to add it.

Mobile devices will get lost; 45% of companies report that a mobile device with corporate data on it went missing in the past 12 months. Companies are being risky when it comes to mobile security, so we offer several strategies here for improving the picture, along with data to make the business case for those strategies.

Companies still footing the phone bill
While BYOD is expanding, the corporate-provided smartphone isn't going away. We asked about the percentage of company-provided versus personally owned devices accessing corporate email and other systems; on average, 60% are company-provided, a higher number than we expected.

Apple has become the leading company-issued smartphone among our respondents, representing an average of 40% of devices, followed by BlackBerry (27%) and Android (24%). The iPhone also leads in personally owned devices accessing company data: 50% Apple, 34% Android, and 6% BlackBerry. Various Windows operating systems take a combined 6%.

But BYOD is going beyond smartphones. Some 80% of companies have at least some employees bringing their own tablets, and 69% see some employees bringing their own laptops. These aren't onesy-twosy trickles: 27% see more than half of employees bringing their own smartphones, 12% their own tablets, and 13% their own laptops.

Why so little encryption?
When asked to pick their top three mobile security concerns, 78% identify lost or stolen devices containing company information, followed by users forwarding data to cloud-based storage services such as Dropbox (36%) and mobile malware in applications from public app stores (34%). A considerable percentage are also concerned with penetration of their WiFi networks (32%) and security at public hotspots (26%). Twenty-two percent say their top concern is jailbroken or rooted devices that would allow unauthorized software to be run.

IT teams are worried about the right things, but they aren't taking enough action.

The first step in any mobile security program is to have a mobility policy that specifies what precautions must be taken in order to secure corporate data and systems -- and a way to make sure that employees follow the rules. Almost three-fourths of companies have such a policy and require that mobile users read and sign it. So far, so good. However, among people with a knowledge of their companies' plans for mobile device management systems, only 36% of organizations had plans, with 33% planning to acquire them within the next 24 months.

Encryption isn't widely used for company data on mobile devices, even though it's the best way to protect against data loss through misplaced or stolen devices. IT sees the value; 43% identify encryption as one of the top three security capabilities needed from an MDM system. However, for 51% of respondents, the on-device encryption policy "varies by device type, ownership, or approved use." That's not good enough. Just 13% require hardware encryption, while 23% require software encryption.

Even stranger than low adoption are the reasons given by the 56 organizations not requiring encryption. The only mildly acceptable answer is a "lack of management sponsorship or organizational imperative," an option selected by 20% of respondents. Even then, tech leaders should be lobbying for it. But 22% say "our staff does not have the skills to manage encryption on mobile devices" -- to which the answer is get the skills or outsource. High cost (11%) and a lack of effective enterprise key management (16%) also were often cited. Sorry, but encryption isn't rocket science, and IT leaders need to knock down the barriers to its use.

When it comes to securing access to corporate information, user name and password still top the list, cited by 73%. Some 46% require a power-on password, while 55% require a password only when the user is accessing corporate data. On-device certificate use held steady at 34%, and secure token use went from 21% to 19%. More exotic authentication mechanisms -- such as smart cards, pattern recognition, grid cards (such as Entrust's IdentityGuard), and cellular callback (such as PhoneFactor) -- each came in at less than 10%. Facial recognition garnered a mere 1%.

Companies are pretty tough with password requirements, which can be enforced with an MDM system or through Microsoft's Exchange ActiveSync. Some 53% require a password longer than four characters, and 52% require passwords to be changed multiple times per year; 47% employ an idle-time device lock.

On-device encryption and password access can safeguard data stored on the device, but sensitive data also needs protection in transit. VPN secure tunnels and Secure HTTP held the No. 1 and 2 spots for in-transit protection, with 65% and 55%, respectively, almost identical to what we saw last year. Not surprisingly, given the company's declining fortunes, BlackBerry secure email dropped from 49% to 37%, while the use of virtual desktop infrastructure (VDI) technology such as that from Citrix and VMware stayed about the same, from 34% to 36%.

What we're seeing with clients is that, if a company uses VDI for desktops, it will consider it for mobile devices, but few are adopting the technology specifically for mobile security.

With the move to iOS and Android devices, Good Technology is getting a bit of a boost; it's used by 16% of respondents, up from 13%. Given the strength of its security platform, Good is seen primarily in highly security-sensitive organizations, such as government and financial services, whereas more run-of-the-mill security requirements can typically be met with any MDM system.

To read the rest of this story,
download this InformationWeek December 2013 special issue on mobile security, distributed in an all-digital format (registration required).

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
BobH088
50%
50%
BobH088,
User Rank: Apprentice
12/5/2013 | 12:05:15 PM
phone security strategy
Lots of people get their lost phones back because they have one of these tracker tags on them, check it out - mystufflostandfound.com
asankar
50%
50%
asankar,
User Rank: Apprentice
12/5/2013 | 1:08:08 PM
Protect the data not the device
"Company data residing on personal devices is a done deal" -  I am not sure this is the right answer especially if corporate (or any others for that matter) data is critical and/or sensitive.  I think the true protection for this is keeping data off the device.  After all, it is about data protection and it does not have to reside on the device; virtualization and secure redisplay technologies can greatly enhance data security while preserving the user experience (InformationWeek story at http://add.vc/fZy).  It is interesting to note that the top concerns always are around data leakage and stolen devices but solutions are very device-centric. 
Muthu LeesaJ889
50%
50%
Muthu LeesaJ889,
User Rank: Apprentice
12/9/2013 | 7:27:14 AM
RE: How Mobile Security Lags BYOD
Hi Michael,

Data Security is the biggest roadblock to BYOD. Businesses are still trying to figure out best ways to tackle lost devices and data. A lot of discussions are happening over the effective use of MDM solutions and MAM solutions. But the security issue has to addressed at a higher level. Businesses should literally own their apps. Think of enterprise app stores. A private app store for your business where you get to host, administer and monitor your enterprise apps. BYOD will not be a pain for the IT department anymore. Already Intel, SAP, now even the Department of Defense own private app stores.The benefits are ofcourse undeniable. Here is a quick list of the benefits of having enterprise app stores: http://mlabs.boston-technology.com/blog/why-do-we-need-enterprise-mobile-app-stores
ramakol
50%
50%
ramakol,
User Rank: Apprentice
12/9/2013 | 9:06:47 PM
Enable BYOD by protecting your content
Very good data on mobile security. Mobile security policies should not be just for top security conscious companies in government and financial services. Companies need to find tools that will allow mobile workers to truly embrace BYOD with secure access to critical business data they need, anytime, anywhere, on their own devices. Check out this whitepaper by Accellion on best practices for secure enterprise content mobility: http://www.info.accellion.com/5-best-practices-for-secure-enterprise-content-mobility-whitepaper.html?sdet=5-best-practices-secure-enterprise-content-mobility
NickLee1
50%
50%
NickLee1,
User Rank: Apprentice
12/17/2013 | 9:26:58 AM
Device management
Hi Michael, an interesting article and statistics from your survey especially with 78% of respondents saying their top concern is lost or stolen devices. Vodafone Global Enterprise provide complete global device management for enterprise with Vodafone Device Manager. Addressing concerns highlighted in your survey Vodafone Device Manager allows IT Security Managers to lock stolen or lost devices, encrypt data and secure them with passwords greater than 4 characters. This short video explains more.
http://bit.ly/1cqtKcv
sharronstone
50%
50%
sharronstone,
User Rank: Apprentice
12/27/2013 | 4:21:32 PM
BYOD

For BYOD, data security on smart mobile devices is a difficult issue, especially with the use of all the various apps avalable. Some companies are combating this issue with their own data security apps. Example, we are developing our own app for our employees and doctors, using the Tigertext Tigerconnect API for HIPAA compliant texting and Dropbox integration, this will allow an increase in security and compliance but not burden the users will a lot of security protocols and restrictions. The other benefit is that it will work across OS and platforms and it give staff one app that allow IT to control the BYOD situation without making the user feel that they are in control of their deveice. I think the companies are going to have to be innovative with their BYOD policies and technologies in order to give drives that flexibility they need and give the companies the security they need. More info: http://developer.tigertext.com/
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If you’re still focused on securing endpoints, you’ve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.