More than half of organizations say that employees regularly sacrifice security in exchange for the efficiency enabled by using personal mobile devices to get work done in the office and at home. That problem seems to be compounded by survey results showing that one-third of those organizations’ employees work exclusively on mobile devices.
These are among the findings of a new survey commissioned by Raytheon and carried out by the Ponemon Institute. Organizations surveyed said they believe that in the next 12 months as many as 48 percent of employees will work exclusively from personal tablets and smartphones. Some 60 percent of those surveyed think that employees are becoming less diligent about practicing good security on mobile devices.
Mobile device security, therefore, depends on how organizations proceed, says Ashok Sankar, a vice president of cyber-strategies at Raytheon.
On the one hand, Sankar explained in an interview with Threatpost, if companies address bring-your-own-device (BYOD) security by attempting to secure every device and platform, that only complicates the problem. On the other hand, if companies take a data-centric approach, focusing on keeping data off devices with a virtualized solution, which Sankar and his Raytheon colleagues are referring to as a virtualized mobile infrastructure (VMI), then the possibility of securing data amidst BYOD becomes far more realistic.
The way this would work, Sankar explains, is that organizations could grant access to sensitive or confidential data running in a cloud server via native apps. In other words, mobile devices could view corporate information, but that data would never actually be stored on a mobile device. Policies would need to be instituted to control how data is accessed, by whom and under what conditions.
“As long as corporate data is secure,” he said, “why do you care how I access it and where I access it from?”
Keeping data in one location, he said, gives companies a better chance of successfully securing it.
“It’s about the data security and not the device security,” he said.
Unfortunately, there may not be enough budget available to security teams for either of Sankar’s scenarios to play out, because just 36 percent of respondents say they have sufficient budget space to deal with the explosive growth BYOD, which has some 40 percent of workers currently accessing corporate data on mobile devices. That number is only likely to increase according to this and other studies.
At the moment, the most popular mobile security strategies are mobile device management, which Sankar says isn’t really a security policy at all, and secure containers, which Sankar criticized because most containers are application level and exploitable at the operating system level, meaning an operating system bug could grant an attacker access to information stored in the container. To that end, half of those surveyed are unhappy with their organization’s mobile security policies.
Furthermore, 30 percent of respondents said their organizations have no mobile security features in place, while 75 percent said it is important to secure employees’ mobile devices. A virtualized solution was popular with 57 percent of respondents.
The report hints at an interesting dichotomy where organizations surveyed simultaneously gripe about users’ behavior on mobile devices, including their resistance to to mobile security policies, yet encourage workers to use devices to improve productivity.
The survey found that malware infections and user-negligence are the largest threats posed by personal mobile devices, followed by device theft or loss and data leakage. Circumvention of security controls was another concern cited.
The survey included responses from 618 IT and IT security practitioners who are involved in their organizations’ mobile and enterprise security activities. Most of the respondents are engaged in implementing enterprise security (65 percent), managing mobile technologies and platforms (55 percent) and setting mobile strategy (47 percent).