The Mobile Device Threat: Shocking Mobile Security Stats10:00 AM EST Thu. Mar. 08, 2012
The number of personal devices being used in corporate settings is higher today than ever. And as more and more enterprise users turn to smartphones or tablets to meet business needs, security concerns among IT departments are mounting.
That's why Ponemon Institute, an IT security research firm, teamed up with Web security firm Websense to survey over 4,000 organizations on the topic, in 12 different countries. The study wasn’t specific to employee-owned devices – just mobile devices, in general. Its findings, released this week, expose the most common mobile security concerns and just how widespread they are.
Ranging from the institution of corporate mobility policies to the rate at which employees disengage passwords, here are the top 10 most eye-opening discoveries.
Ponemon and Websense received responses from 4,640 organizations. Even among such a diverse group, one take-away seemed immediately clear: organizations are embracing the flow of mobile devices into their businesses, but it definitely comes at a cost.
A whopping 77 percent of respondents said that the use of mobile devices in the workplace is important to achieving business objectives. But a nearly equal portion of survey-takers -- 76 percent -- believe that these tools introduce a "serious" set of risks.
While cognizant of these risks, the findings showed that only 39 percent have security controls in place to mitigate them.
A lack of sufficient security controls has yielded a perhaps expected but widespread trend: malware.
Fifty-nine percent of Ponemon’s respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets. And a pretty hefty jump, at that. Thirty-one percent of those who have noticed a spike in malware cases said the increase was by more than 50 percent.
According to a separate study released by McAfee in December, Google’s Android OS is most at risk. The OS had a malware volume of 63 percent during the second quarter of last year, with Java ME next with 20 percent, and Symbian after that with 7 percent. RIM’s BlackBerry OS was fairly low risk with 6 percent, but Apple’s iOS was the real winner, apparently, by not even making the risk-maker list.
Ponemon's study showed that malware rates are rising, but not-so-nice software isn’t necessarily the biggest threat faced by IT in a mobilized work environment. The much more serious danger is a data breach.
Fifty-one percent of survey-takers said their organization has experienced a data breach due to insecure devices. And this number may be even higher – 23 percent said they weren’t really sure whether they have or not.
The effects of those breaches were all over the charts, but perhaps equally as frightening to IT directors. Among them was theft or loss of information and/or other resources, which was reported by 38 percent of those who have had a breach. Thirty-one percent have faced the disclosure of confidential data or information, and 10 percent have seen an interruption of services.
It's obvious that threats including malware and data breaches are on the up as the mobile workforce grows. But what Ponenom and Websense also found is that organizations aren’t really arming themselves with corporate policies to prevent these threats in the first place.
Of the 4,640 respondents, more than half of them -- 55 percent to, to be exact -- said that their organization does not have a policy in place that outlines the acceptable (or, perhaps more importantly, the unacceptable) use cases for employee mobile devices.
And even among the 45 percent that do have a corporate use policy in place, less than half said that they actually enforce it. This, they claimed, was due primarily to a lack of governance or other security issues taking priority.
Device-level settings and controls can help combat mobile security risks -- if they’re actually turned on.
But that doesn’t seem to be the case in most organizations, according to Ponenom’s study. While 49 percent of respondents said they require the use of device-level security settings in the workplace, only a meager 6 percent said employees are actually compliant and 15 percent said they weren’t even sure if they were.
This poor showing could be the fault of employees themselves, rather than an IT manager or director. Fifty-nine percent of the organizations surveyed said they’re know employees disengage security features such as key locks and passwords.
When it comes to mobile risks, some combative technologies are more preferred than others, Ponenom and Websense found.
The study listed a number of potential solutions for minimizing mobile security risks and asked respondents to identify which they most prefer. Device-level encryption topped the list (despite the fact that, in a separate survey question, only about half of the respondents said they enforce this measure). Endpoint security solutions was a close second, followed by identity and access management (IAM) solutions, anti-virus/anti-malware (AV/AM), and mobile device management (MDM) technologies. The study said that many companies invest significantly in encryption and endpoint security solutions to safeguard mobile environments, but lack the ability to track how and what data is leaving through insecure mobile devices. For maximum risk mitigation, businesses need data loss prevention technology that can keep tabs on where critical data is hosted, who accesses it, and how exactly it’s being lost.
Ponenom's study revealed a number of security-related trends in mobilized work environments. But what it also exposed is what employers discourage the most when it comes employees’ use of mobile devices.
According to respondents, taking photos or videos while in the workplace is the number one most unacceptable use of a laptop, smartphone, or tablet. Ponenom and Websense speculated that this could stem from fears of increased theft or the distribution of confidential information.
The second most looked-down-upon activity to perform on mobile devices is downloading and using internet apps, followed by using personal email accounts. Downloading and watching videos (as opposed to recording them) was also identified, as was making personal phone calls.
Among the countries surveyed by Ponemon and Websense, the European ones seemed to position mobile devices as being more critical to their organizations than any other countries surveyed.
When asked how important mobile devices were to supporting their businesses, respondents from Italy showed mobility the most love, with 92 percent classifying them as essential. France and Germany were tied for a close second at 91 percent.
Australia, the U.S., and the UK, however, were on the opposite end of the spectrum. Mobile devices are apparently the least desired in Australian enterprises, with only 61 percent of respondents citing them as being crucial to their work. The UK was next in line with 63 percent, only slightly below the U.S. response of 69 percent.
Based on their findings, Ponemon and Websense made recommendations for organizations grappling with the mobility boom.
First, they said, be sure to understand the risk that mobile devices create in the workplace and to gauge just how serious it is by conducting frequent risk assessments. Educating employees about the importance of safeguarding their devices can also go a long way, they said.
Creating a mobile device corporate policy is always a good idea -- but it’s only efficient when enforced. So remember to not only launch a corporate policy, but to actively ensure it’s being followed. Leveraging mobile device management solutions, security access controls, and even cloud services can help keep confidential data out of the hands of unauthorized viewers, so be sure to take advantage of what’s out there. Of course, a boost in demand for cloud and security services is always good news for the channel, too.
McAfee To Boost Mobile Security For Corporate Data
Symantec Takes Mobile Security To The Cloud
Wyse Tightens Mobile Security With Trellia Buy
Oracle: Consumers Uneasy About Mobile Security