Balancing BYOD and Security
I just wrapped up my most recent project, the InformationWeek 2013 State of Mobile Security Report, and it does appear that the desire to let employees use their own mobile devices for work is getting ahead of the systems that would ensure the security of corporate data and systems. The basis for the report is a survey of 424 IT professionals who are involved with mobile device management, policy development and/or security at their respective organizations. This is the second year we have done the report, and while the state of mobile security is improving in some areas, it doesn’t seem to be improving fast enough.
It is clear that BYOD initiatives are forging ahead, as 68 percent of respondents (up from 60 percent last year) now allow employees to use their personally owned devices for work, while another 20 percent are developing a BYOD policy. That means 88 percent of organizations will soon be supporting BYOD for some percentage of their employees. However, when we asked the percentage of company-provided versus personally owned mobile devices accessing corporate email, we found that 60 percent were still company-provided.
User preferences in mobile devices is clearly shifting as well. Despite the fact that Gartner puts Android’s worldwide market share at more than three times that of Apple’s iOS, the iPhone leads in the enterprise with an average of 50 percent of the personally owned and 40 percent of the company-provided units; Android comes in second for total units with 27 percent of the company-provided and 34 percent of the personally owned devices. BlackBerry now represents 27 percent of the company-provided devices, but only 6 percent of the personally owned units. So while BlackBerry is singing the BYOD song along with everyone else, the virtual disappearance of the brand in the consumer market is being reflected in the small number of personally owned BlackBerrys.
After those three, things drop off abruptly. Windows Mobile represents 3 percent of the company-provided devices, and 2 percent of the personally owned units, and Windows Phone had 3 percent each of the company-provided device and personally-owned units. Symbian was 1 percent.
Our main focus was on security, so we also asked users to identify their top three mobile security concerns. “Lost/stolen devices” was far in the lead with 78 percent citing it followed by “Users forwarding corporate information to cloud-based services” (36 percent) and “Mobile malware in apps from public app stores” (34 percent). However, while our respondents had “concerns,” they did not appear to be taking adequate measures to address them.
Protection for corporate data on mobile devices that go missing requires encrypting data on devices, having strong passwords to access it, device timeouts, and the ability to remotely wipe the data. Policies involving on-device encryption were all over the lot. My recommendation would be “Hardware encryption, period” but that was selected by only 13 percent of respondents, while the most often selected response with 51 percent was “Varies by device type, ownership or approved use;” multiple responses were allowed. Frankly, it doesn’t matter who owns the device, security is still a core IT responsibility.
With regard to passwords we found that 55 percent required a password to access the corporate data and another 46 percent required a power-on password; again multiple responses were allowed. Some 34 percent used on device certificates and 19 percent required secure tokens, virtually the same percentages as a year ago. None of the more “exotic” authentication mechanisms like pattern recognition, biometrics, or facial recognition came close to 10 percent. Cellular call back systems like Microsoft’s PhoneFactor scored a mere 3 percent. Some 36 percent reported using a virtual desktop solution like Citrix or VMWare for at least some of their mobile devices.
The real key to enforcing security policies is to employ a mobile device management (MDM) system. While 88 percent of organizations now or will soon be allowing BYOD, only 39 percent report having an MDM platform in place though another 33 percent plan to implement one within the next 24 months. Another 21 percent report using Microsoft’s Exchange ActiveSync for basic policy enforcement and remote wipe capability. For 45 percent of respondents, the mobility policy allows users to bring in personal devices as long as they agree to follow certain policies; 9 percent allow personally owned devices with no restrictions at all. One axiom in security is “trust but verify,” but this looks a lot more like “trust and pray.”
The other glaring deficiency is in protection from mobile malware, particularly on the Android platform. McAfee reports it now has 50,926 mobile malware instances on file up from just 792 in 2011. Despite that, 42 percent of respondents do no malware scanning whatever and 35 percent scan for malware on at least some platforms – hopefully Android is on that list.
Having assisted a number of clients in developing mobile policy and security plans, I don’t get the feeling that organizations are taking mobile security as seriously as they should be. While I understand the pressure to allow access to email and other corporate systems from users’ preferred devices, it is important to recognize the potential security vulnerability that creates. We found that 45 percent of respondents didn’t include mobile security in their general security awareness training or didn’t even have a security awareness training program at all.
One of the biggest things working against us in this is that we haven’t yet had a major security breach that was tied to a lost or stolen smartphone or tablet; we’ve had plenty dealing with laptops that have gone missing, or Mr. Snowden’s notorious thumb drive. As a result, getting the budget for staff and systems to better secure this growing population of ill-protected mobile devices is a tough pull. However, one front-page story in the Wall Street Journal could change that – just pray the story isn’t about your company.