Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/22/2014
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Mobile-Only Employee Trend Could Break Security Models

One-third of employees exclusively use mobile devices for work, but security organizations still aren't shifting their risk management focus.

Common wisdom is that there's no turning the clock back on BYOD and mobility culture in the enterprise today. But just how instrumental are mobile technologies to employee work habits, and how well have IT departments started to manage the associated risks? A survey out today shows the productivity increase due to mobility to be dramatic. But in spite of bottom-line benefits, organizations aren't reinvesting some of that money into the necessary security measures to reduce risk.

Conducted by the Ponemon Institute on behalf of Raytheon, the survey (registration required) showed that, for a significant chunk of the workforce, mobile technologies are no longer just a beneficial supplemental computing technology but actually the primary means of getting business done. According to respondents, one-third of employees exclusively use mobile devices to do their work, and that is expected to rise to nearly half of employees over the next year. Meanwhile, 61% of respondents report that mobile devices have increased employee productivity at their organizations.

However, most businesses are seeing these productivity gains offset by a growing mobile risk profile. Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats.

"Most enterprises are finding workforce productivity high with BYOD, and they can see significant tangible benefits by having workers connected with their device," says Ashok Sankar, senior director of product management and strategy at Raytheon Cyber Products. "But security is being compromised in favor of productivity."

As the business benefits continue to rise, so does the proliferation of devices. The study found that the typical organization manages an average of 20,000 devices, with that number expected to rise to 28,000 in 12 months. In fact 18% of organizations report that, within a year, they may need to manage more than 75,000 devices. This can only serve to put more pressure on security organizations; respondents reported it takes an average of $278 to manage devices securely.

Organizations identified malware infection and end-user negligence as two of the biggest mobile risks. Of particular concern was the fact that employee behavior has grown increasingly lackadaisical about security as mobile flexibility increases. Approximately 60% of respondents believe mobile devices have diminished employees' security habits.

In addition to improving security technology investments around mobility, organizations may need to put more onus on employees to improve their behavior.

"There's always been a one-sided conversation between IT and employees, with IT providing laptops or desktops and a specific image of the device and that was it," Sankar says. "The newer paradigm has to be a two-way conversation. People want to use what they want, which is fine. But maybe there's a responsibility factor associated with the mobile user than they had originally. So with flexibility comes responsibility."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/24/2014 | 4:32:26 PM
With flexibility comes responsiblity
Does anybody agree with Ashok Sankar's statement that there's been a paradigm shift from the days when IT handed laptops to employees to a mobile era where people will want to use what they want, but take more responsibility for security. I think that's a pipe dream. Am I right?

 

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/24/2014 | 2:41:14 PM
Re: Mobile Device Strategy MDM or EMM
App containers, I think, are a good method of reducing risk by allowing only approved apps to permeate your mobile environment. Its difficult to provide a completely comprehensive app container without a few things. 

As you say Android is difficult because many third parties are just starting to get into the security sector of android as a device, and EMM/MDM is even further behind due to its open source properties.

Mobile devices are a daunting task as is. But if you are going to validate the apps before they go out you are going to need a team of developers and security specialists working together a majority of the time. They will need to be dedicated to this and many enterprises don't have the resources to do so.

I feel that it needs to be defined in policy what types of devices are allowed to connect to your network. By doing this, you can cut down on the quantity of apps your team would need to validate in an app container.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/23/2014 | 2:49:56 PM
Re: Mobile Device Strategy MDM or EMM
I think one of the biggest issues is that the way the app containers work themselves mean employees are more likely to go ahead and trust an application without considering that there is a risk of malware being integrated into it, especially on less-strict platforms like Android where there is lighter regulations on what apps can be made available in their stores.  Unless your security policy is able to test these apps and limit their exposure to corporate data, there will always be an inherent risk in any app that is installed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 12:02:28 PM
Re: Mobile Device Strategy MDM or EMM
I agree we can lock down the whole device to minimize exposure to the risks,  MDM/EMM solutions can help to separate personal and corporate world and ease down security policy on persons' personal data and apps. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:59:07 AM
Re: Mobile-Only Employee Trend Could Break Security Models
I agree, there is a bigger security challenge in mobility. Mobile devices are more expose to security than other things we keep inside the network. Unless the companies have a good BYOD policy and implementation of it, they are basically exposed the rest of the world to be hacked.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/23/2014 | 11:54:01 AM
confidentiality integrity - Availability trade-off
 

As it is the case for all major systems we use there is always trade-off between confidentiality– integrity – Availability. You can not really lock everything down and say I am secure. That does not work for end-user point of view, they should be ale to do their daily tasks otherwise doing business would not make sense. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/23/2014 | 11:29:59 AM
Re: Mobile-Only Employee Trend Could Break Security Models
That is a very good guess, and it is a huge issue, I admit. However, forging ahead while knowing that there are very big risks that have not been mitigated or even addressed is often a fatal mistake. Imagine a typical organization with a server farm, storage infrastructure, etc. Add to that the configuration of every connecting computer installed with every user having administrative rights, allowing those users to manage their own computers, and no anti-malware or group policy to protect it. Breaking into that infrastructure is almost child's play. Sure, everyone is instantly more productive, but at the same time, the vulnerability of the infrastructure has grown exponentially. Wouldn't it be better to put in place some sort of central management platform and policies that control the connecting computers before you deploy them? Implementing the management platform after deploying the devices sounds a lot like locking the barn door after the horses have escaped.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:05:44 AM
Re: Mobile-Only Employee Trend Could Break Security Models
My guess is that it's not that anyone is taking mobile risks lightly. It's that the juggernaut of BYOD is so overwhelming that it's easier to stick your head in the sand and do nothing, than trying to figure out a solution to a constantly changing and difficult problem.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/22/2014 | 4:09:46 PM
Mobile-Only Employee Trend Could Break Security Models
"Approximately 52% of respondents reported that security practices on mobile devices have been sacrificed in order to improve employee productivity. The survey showed that 30% of organizations still have absolutely no security features in place to support mobility, and 74% of respondents say their security is inadequate to mitigate mobile threats." <-- Those statistics spell an Information Systems Security death wish! It is unfortunate that organizations take those high risks so lightly because it is so irresponsible! Did any of those organizations even perform a risk assessment? I just read the report, and I am almost at a loss for words. All I can do is shake my head in disbelief.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/22/2014 | 2:36:07 PM
Mobile Device Strategy MDM or EMM
My organization is in the process of refining the policies to incorporate MDM. People from organziations that do have an MDM or EMM, could you elaborate on how it is incorporated from an end user perspective and what specific security benefits are gained from your implementation? Thanks,
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5531
PUBLISHED: 2020-02-17
Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000 MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethe...
CVE-2020-7252
PUBLISHED: 2020-02-17
Unquoted service executable path in DXL Broker in McAfee Data eXchange Layer (DXL) Framework 6.0.0 and earlier allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.
CVE-2020-9024
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
CVE-2020-9025
PUBLISHED: 2020-02-17
Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
CVE-2020-9026
PUBLISHED: 2020-02-17
ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.