Company data residing on personal devices is a done deal. Tech pros realize how important mobility is to employee productivity, and they're supporting it, but too often their companies' security practices fall short of addressing the data risks that mobility creates.
Among the 424 respondents to our InformationWeek 2013 Mobile Security Survey -- all of whom are involved with mobile device management, policy development, or security at their organizations -- almost nine of 10 support bring your own device or are developing BYOD policies. That's good. But for mobile security:
- Seventy-eight percent say their top mobile security concern is lost or stolen devices, well ahead of the No. 2 worry: users forwarding corporate data to cloud-based storage services (cited by 36%).
- Forty-six percent require a power-on password as an authentication mechanism for mobile devices that access enterprise data or networks, and password standards are appropriately tough. But more should be backing up passwords with data encryption.
- Forty-five percent let users bring in any device, and they let it on the network as long as the user agrees to certain policies. But too few are backing that up with steps such as robust mobile device and application management programs.
- Forty-five percent have had a data loss within the past 12 months; 11% of them were required to disclose the loss publicly.
We've had time to get our houses in order. Sixty-two percent of respondents to our 2012 Mobile Security Survey allowed BYOD; that grew to 68% this year, with an additional 20% in the process of developing such a policy. We see where this is headed, right? However, only 41% of these respondents require users to run mobile device management software on those devices, essentially the same as last year. Almost half (45%) simply require that the user agree to certain rules -- a policy that's all trust and no verify.
There's a slight increase in companies including mobile in their security awareness training -- 55%, up from 50% last year -- with another 22% planning to add it. Yet that means that almost one-quarter (23%) don't address mobile security in their training and don't plan to add it.
Mobile devices will get lost; 45% of companies report that a mobile device with corporate data on it went missing in the past 12 months. Companies are being risky when it comes to mobile security, so we offer several strategies here for improving the picture, along with data to make the business case for those strategies.
Companies still footing the phone bill
While BYOD is expanding, the corporate-provided smartphone isn't going away. We asked about the percentage of company-provided versus personally owned devices accessing corporate email and other systems; on average, 60% are company-provided, a higher number than we expected.
Apple has become the leading company-issued smartphone among our respondents, representing an average of 40% of devices, followed by BlackBerry (27%) and Android (24%). The iPhone also leads in personally owned devices accessing company data: 50% Apple, 34% Android, and 6% BlackBerry. Various Windows operating systems take a combined 6%.
But BYOD is going beyond smartphones. Some 80% of companies have at least some employees bringing their own tablets, and 69% see some employees bringing their own laptops. These aren't onesy-twosy trickles: 27% see more than half of employees bringing their own smartphones, 12% their own tablets, and 13% their own laptops.
Why so little encryption?
When asked to pick their top three mobile security concerns, 78% identify lost or stolen devices containing company information, followed by users forwarding data to cloud-based storage services such as Dropbox (36%) and mobile malware in applications from public app stores (34%). A considerable percentage are also concerned with penetration of their WiFi networks (32%) and security at public hotspots (26%). Twenty-two percent say their top concern is jailbroken or rooted devices that would allow unauthorized software to be run.
IT teams are worried about the right things, but they aren't taking enough action.
The first step in any mobile security program is to have a mobility policy that specifies what precautions must be taken in order to secure corporate data and systems -- and a way to make sure that employees follow the rules. Almost three-fourths of companies have such a policy and require that mobile users read and sign it. So far, so good. However, among people with a knowledge of their companies' plans for mobile device management systems, only 36% of organizations had plans, with 33% planning to acquire them within the next 24 months.
Encryption isn't widely used for company data on mobile devices, even though it's the best way to protect against data loss through misplaced or stolen devices. IT sees the value; 43% identify encryption as one of the top three security capabilities needed from an MDM system. However, for 51% of respondents, the on-device encryption policy "varies by device type, ownership, or approved use." That's not good enough. Just 13% require hardware encryption, while 23% require software encryption.
Even stranger than low adoption are the reasons given by the 56 organizations not requiring encryption. The only mildly acceptable answer is a "lack of management sponsorship or organizational imperative," an option selected by 20% of respondents. Even then, tech leaders should be lobbying for it. But 22% say "our staff does not have the skills to manage encryption on mobile devices" -- to which the answer is get the skills or outsource. High cost (11%) and a lack of effective enterprise key management (16%) also were often cited. Sorry, but encryption isn't rocket science, and IT leaders need to knock down the barriers to its use.
When it comes to securing access to corporate information, user name and password still top the list, cited by 73%. Some 46% require a power-on password, while 55% require a password only when the user is accessing corporate data. On-device certificate use held steady at 34%, and secure token use went from 21% to 19%. More exotic authentication mechanisms -- such as smart cards, pattern recognition, grid cards (such as Entrust's IdentityGuard), and cellular callback (such as PhoneFactor) -- each came in at less than 10%. Facial recognition garnered a mere 1%.
Companies are pretty tough with password requirements, which can be enforced with an MDM system or through Microsoft's Exchange ActiveSync. Some 53% require a password longer than four characters, and 52% require passwords to be changed multiple times per year; 47% employ an idle-time device lock.
On-device encryption and password access can safeguard data stored on the device, but sensitive data also needs protection in transit. VPN secure tunnels and Secure HTTP held the No. 1 and 2 spots for in-transit protection, with 65% and 55%, respectively, almost identical to what we saw last year. Not surprisingly, given the company's declining fortunes, BlackBerry secure email dropped from 49% to 37%, while the use of virtual desktop infrastructure (VDI) technology such as that from Citrix and VMware stayed about the same, from 34% to 36%.
What we're seeing with clients is that, if a company uses VDI for desktops, it will consider it for mobile devices, but few are adopting the technology specifically for mobile security.
With the move to iOS and Android devices, Good Technology is getting a bit of a boost; it's used by 16% of respondents, up from 13%. Given the strength of its security platform, Good is seen primarily in highly security-sensitive organizations, such as government and financial services, whereas more run-of-the-mill security requirements can typically be met with any MDM system.
download this InformationWeek December 2013 special issue on mobile security, distributed in an all-digital format (registration required).