Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:06 AM
Connect Directly

How Mobile Security Lags BYOD

IT is turbo charging BYOD efforts, but mobile security practices aren't keeping up with the growing risk in several critical areas.

Download this InformationWeek December 2013 special issue on mobile security, distributed in an all-digital format (registration required).

Company data residing on personal devices is a done deal. Tech pros realize how important mobility is to employee productivity, and they're supporting it, but too often their companies' security practices fall short of addressing the data risks that mobility creates.

Among the 424 respondents to our InformationWeek 2013 Mobile Security Survey -- all of whom are involved with mobile device management, policy development, or security at their organizations -- almost nine of 10 support bring your own device or are developing BYOD policies. That's good. But for mobile security:

  • Seventy-eight percent say their top mobile security concern is lost or stolen devices, well ahead of the No. 2 worry: users forwarding corporate data to cloud-based storage services (cited by 36%).
  • Forty-six percent require a power-on password as an authentication mechanism for mobile devices that access enterprise data or networks, and password standards are appropriately tough. But more should be backing up passwords with data encryption.
  • Forty-five percent let users bring in any device, and they let it on the network as long as the user agrees to certain policies. But too few are backing that up with steps such as robust mobile device and application management programs.
  • Forty-five percent have had a data loss within the past 12 months; 11% of them were required to disclose the loss publicly.

We've had time to get our houses in order. Sixty-two percent of respondents to our 2012 Mobile Security Survey allowed BYOD; that grew to 68% this year, with an additional 20% in the process of developing such a policy. We see where this is headed, right? However, only 41% of these respondents require users to run mobile device management software on those devices, essentially the same as last year. Almost half (45%) simply require that the user agree to certain rules -- a policy that's all trust and no verify.

There's a slight increase in companies including mobile in their security awareness training -- 55%, up from 50% last year -- with another 22% planning to add it. Yet that means that almost one-quarter (23%) don't address mobile security in their training and don't plan to add it.

Mobile devices will get lost; 45% of companies report that a mobile device with corporate data on it went missing in the past 12 months. Companies are being risky when it comes to mobile security, so we offer several strategies here for improving the picture, along with data to make the business case for those strategies.

Companies still footing the phone bill
While BYOD is expanding, the corporate-provided smartphone isn't going away. We asked about the percentage of company-provided versus personally owned devices accessing corporate email and other systems; on average, 60% are company-provided, a higher number than we expected.

Apple has become the leading company-issued smartphone among our respondents, representing an average of 40% of devices, followed by BlackBerry (27%) and Android (24%). The iPhone also leads in personally owned devices accessing company data: 50% Apple, 34% Android, and 6% BlackBerry. Various Windows operating systems take a combined 6%.

But BYOD is going beyond smartphones. Some 80% of companies have at least some employees bringing their own tablets, and 69% see some employees bringing their own laptops. These aren't onesy-twosy trickles: 27% see more than half of employees bringing their own smartphones, 12% their own tablets, and 13% their own laptops.

Why so little encryption?
When asked to pick their top three mobile security concerns, 78% identify lost or stolen devices containing company information, followed by users forwarding data to cloud-based storage services such as Dropbox (36%) and mobile malware in applications from public app stores (34%). A considerable percentage are also concerned with penetration of their WiFi networks (32%) and security at public hotspots (26%). Twenty-two percent say their top concern is jailbroken or rooted devices that would allow unauthorized software to be run.

IT teams are worried about the right things, but they aren't taking enough action.

The first step in any mobile security program is to have a mobility policy that specifies what precautions must be taken in order to secure corporate data and systems -- and a way to make sure that employees follow the rules. Almost three-fourths of companies have such a policy and require that mobile users read and sign it. So far, so good. However, among people with a knowledge of their companies' plans for mobile device management systems, only 36% of organizations had plans, with 33% planning to acquire them within the next 24 months.

Encryption isn't widely used for company data on mobile devices, even though it's the best way to protect against data loss through misplaced or stolen devices. IT sees the value; 43% identify encryption as one of the top three security capabilities needed from an MDM system. However, for 51% of respondents, the on-device encryption policy "varies by device type, ownership, or approved use." That's not good enough. Just 13% require hardware encryption, while 23% require software encryption.

Even stranger than low adoption are the reasons given by the 56 organizations not requiring encryption. The only mildly acceptable answer is a "lack of management sponsorship or organizational imperative," an option selected by 20% of respondents. Even then, tech leaders should be lobbying for it. But 22% say "our staff does not have the skills to manage encryption on mobile devices" -- to which the answer is get the skills or outsource. High cost (11%) and a lack of effective enterprise key management (16%) also were often cited. Sorry, but encryption isn't rocket science, and IT leaders need to knock down the barriers to its use.

When it comes to securing access to corporate information, user name and password still top the list, cited by 73%. Some 46% require a power-on password, while 55% require a password only when the user is accessing corporate data. On-device certificate use held steady at 34%, and secure token use went from 21% to 19%. More exotic authentication mechanisms -- such as smart cards, pattern recognition, grid cards (such as Entrust's IdentityGuard), and cellular callback (such as PhoneFactor) -- each came in at less than 10%. Facial recognition garnered a mere 1%.

Companies are pretty tough with password requirements, which can be enforced with an MDM system or through Microsoft's Exchange ActiveSync. Some 53% require a password longer than four characters, and 52% require passwords to be changed multiple times per year; 47% employ an idle-time device lock.

On-device encryption and password access can safeguard data stored on the device, but sensitive data also needs protection in transit. VPN secure tunnels and Secure HTTP held the No. 1 and 2 spots for in-transit protection, with 65% and 55%, respectively, almost identical to what we saw last year. Not surprisingly, given the company's declining fortunes, BlackBerry secure email dropped from 49% to 37%, while the use of virtual desktop infrastructure (VDI) technology such as that from Citrix and VMware stayed about the same, from 34% to 36%.

What we're seeing with clients is that, if a company uses VDI for desktops, it will consider it for mobile devices, but few are adopting the technology specifically for mobile security.

With the move to iOS and Android devices, Good Technology is getting a bit of a boost; it's used by 16% of respondents, up from 13%. Given the strength of its security platform, Good is seen primarily in highly security-sensitive organizations, such as government and financial services, whereas more run-of-the-mill security requirements can typically be met with any MDM system.

To read the rest of this story,
download this InformationWeek December 2013 special issue on mobile security, distributed in an all-digital format (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/27/2013 | 4:21:32 PM

For BYOD, data security on smart mobile devices is a difficult issue, especially with the use of all the various apps avalable. Some companies are combating this issue with their own data security apps. Example, we are developing our own app for our employees and doctors, using the Tigertext Tigerconnect API for HIPAA compliant texting and Dropbox integration, this will allow an increase in security and compliance but not burden the users will a lot of security protocols and restrictions. The other benefit is that it will work across OS and platforms and it give staff one app that allow IT to control the BYOD situation without making the user feel that they are in control of their deveice. I think the companies are going to have to be innovative with their BYOD policies and technologies in order to give drives that flexibility they need and give the companies the security they need. More info: http://developer.tigertext.com/
User Rank: Apprentice
12/17/2013 | 9:26:58 AM
Device management
Hi Michael, an interesting article and statistics from your survey especially with 78% of respondents saying their top concern is lost or stolen devices. Vodafone Global Enterprise provide complete global device management for enterprise with Vodafone Device Manager. Addressing concerns highlighted in your survey Vodafone Device Manager allows IT Security Managers to lock stolen or lost devices, encrypt data and secure them with passwords greater than 4 characters. This short video explains more.
User Rank: Apprentice
12/9/2013 | 9:06:47 PM
Enable BYOD by protecting your content
Very good data on mobile security. Mobile security policies should not be just for top security conscious companies in government and financial services. Companies need to find tools that will allow mobile workers to truly embrace BYOD with secure access to critical business data they need, anytime, anywhere, on their own devices. Check out this whitepaper by Accellion on best practices for secure enterprise content mobility: http://www.info.accellion.com/5-best-practices-for-secure-enterprise-content-mobility-whitepaper.html?sdet=5-best-practices-secure-enterprise-content-mobility
Muthu LeesaJ889
Muthu LeesaJ889,
User Rank: Apprentice
12/9/2013 | 7:27:14 AM
RE: How Mobile Security Lags BYOD
Hi Michael,

Data Security is the biggest roadblock to BYOD. Businesses are still trying to figure out best ways to tackle lost devices and data. A lot of discussions are happening over the effective use of MDM solutions and MAM solutions. But the security issue has to addressed at a higher level. Businesses should literally own their apps. Think of enterprise app stores. A private app store for your business where you get to host, administer and monitor your enterprise apps. BYOD will not be a pain for the IT department anymore. Already Intel, SAP, now even the Department of Defense own private app stores.The benefits are ofcourse undeniable. Here is a quick list of the benefits of having enterprise app stores: http://mlabs.boston-technology.com/blog/why-do-we-need-enterprise-mobile-app-stores
User Rank: Apprentice
12/5/2013 | 1:08:08 PM
Protect the data not the device
"Company data residing on personal devices is a done deal" -  I am not sure this is the right answer especially if corporate (or any others for that matter) data is critical and/or sensitive.  I think the true protection for this is keeping data off the device.  After all, it is about data protection and it does not have to reside on the device; virtualization and secure redisplay technologies can greatly enhance data security while preserving the user experience (InformationWeek story at http://add.vc/fZy).  It is interesting to note that the top concerns always are around data leakage and stolen devices but solutions are very device-centric. 
User Rank: Apprentice
12/5/2013 | 12:05:15 PM
phone security strategy
Lots of people get their lost phones back because they have one of these tracker tags on them, check it out - mystufflostandfound.com
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-18
VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
PUBLISHED: 2021-06-18
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
PUBLISHED: 2021-06-18
No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.