Michael Finneran
Michael F. Finneran, is President of dBrn Associates, Inc., a full service advisory firm specializing in wireless and mobility; services...
Read Full Bio >>

Michael Finneran | July 07, 2013 |


The State of Mobile Security

The State of Mobile Security The mobile security bomb seems to be ticking, and we just hope it doesn't have our name on it.

The mobile security bomb seems to be ticking, and we just hope it doesn't have our name on it.

We just posted the InformationWeek 2013 State of Mobile Security Report, and got a good look at how users are dealing (or "not dealing") with the security challenges of the BYOD era. The report is based on a survey of 424 IT professionals, all of whom are involved with mobile device management, policy development and/or security at their respective organizations.

The first point that became clear was that BYOD is forging ahead, with 68% of respondents now allowing employees to use their personally owned devices for work; that's up from 60% last year. Another 20% are developing a BYOD policy, so fairly soon 88% of organizations will be supporting BYOD in some form.

Surprisingly, when we asked the percentage of company-provided versus personally-owned mobile devices accessing corporate email, we found that 60% were still company-provided. It will be interesting to see how that changes next year.

Security was our main focus, and we asked users to identify their top three mobile security concerns. "Lost/stolen devices" led the list of concerns, with 78% citing it, followed by "Users forwarding corporate information to cloud-based services" (36%) and "Mobile malware in apps from public app stores" (34%).

Surprisingly the security of the corporate Wi-Fi network is still a concern for almost a third of respondents, despite the fact that security options like WPA2 encryption and 802.1x authentication have been around for years. However, while our respondents had "concerns", they did not appear to be taking adequate measures to address them.

To protect corporate data stored on mobile devices that go missing, the data needs to be encrypted, have a strong password to access it, and the ability to remotely wipe the data. Policies involving on-device encryption were all over the lot. My recommendation would be "Hardware encryption, period" but that was selected by only 13% of respondents. The most often selected response, with 51%, was "Varies by device type, ownership or approved use"; multiple responses were allowed. Frankly, it doesn't matter who owns the device, data security is still a core IT responsibility.

With passwords, we found that 55% of respondents required a password to access the corporate data, and another 46% required a power-on password (multiple responses were allowed). Some 34% used on-device certificates and 19% required secure tokens, virtually the same percentages as a year ago.

None of the more "exotic" authentication mechanisms like pattern recognition, biometrics, or facial recognition came close to 10%. Cellular callback systems like Microsoft's PhoneFactor scored a mere 3%. Also, 36% reported using a virtual desktop solution like Citrix or VMWare for at least some of their mobile devices.

The real key to enforcing security policies is to employ a mobile device management (MDM) system. While 88% of organizations now or soon will allow BYOD, only 39% report having an MDM platform in place, though another 33% plan to implement one within the next 24 months. Some 21% use Microsoft's Exchange ActiveSync for basic policy enforcement and remote wipe capability. For 45% of respondents, the mobility policy allows users to bring in personal devices so long as they agree to follow certain policies; 9% allow personally owned devices with no restrictions at all. One axiom in security is "trust but verify"; this looks a lot more like "trust and pray."

The other glaring deficiency is in protection from mobile malware, particularly on the Android platform. McAfee reports it now has 50,926 mobile malware instances on file, up from just 792 in 2011. Despite that, 42% of respondents do no malware scanning whatever and 35% scan for malware on at least some platforms--hopefully Android is on that list. Only 23% scan for malware on all platforms.

User preferences in mobile devices are clearly shifting as well. While Gartner puts Android's worldwide market share at more than three times that of Apple's iOS, the iPhone still leads in the enterprise with an average of 50% of the personally owned and 40% of the company-provided units; Android comes in second for total units with 27% of the company-provided and 34% of the personally-owned devices. BlackBerry represents 27% of the company-provided devices, but only 6% of the personally-owned units. After those three, shares drop off abruptly. Windows Mobile represents 3% of the company-provided devices, and 2% of the personally-owned units, and Windows Phone had 3% each of the company-provided devices and personally-owned units.

Having worked with clients in developing mobile policy and security plans, I can assure you there are steps that can be taken to implement very good security on mobile devices, both company-provided and personally-owned. Reading through the results of this year's survey, I got the distinct feeling that mobile security was getting short shrift in too many organizations. We found that 45% of respondents didn't include mobile security in their general security awareness training or didn't have a security awareness training program at all.

Besides the lack of budget and resources, one thing working against us, ironically, is that we haven't yet had a major security breach that was tied to a lost or stolen smartphone or tablet. However, one front-page story in the Wall Street Journal could change that in a hurry. In the meantime, the mobile security bomb seems to be ticking, and we just hope it doesn't have our name on it.

Follow Michael Finneran on Twitter and Google+!
Michael Finneran on Google+


July 12, 2017

Enterprises have been migrating Unified Communications & Collaboration applications to datacenters - private clouds - for the past few years. With this move comes the opportunity to leverage da

May 31, 2017

In the days of old, people in suits used to meet at a boardroom table to update each other on their work. Including a remote colleague meant setting a conference phone on the table for in-person pa

April 19, 2017

Now more than ever, enterprise contact centers have a unique opportunity to lead the way towards complete, digital transformation. Moving your contact center to the cloud is a starting point, quick

June 28, 2017
Communications expert Tsahi Levent-Levi, author of the popular blog, keeps a running tally and comprehensive overview of communications platform-as-a-service offerings in his "Choosing a W....
June 9, 2017
If you think telecom expense management applies to nothing more than business phone lines, think again. Hyoun Park, founder and principal investigator with technology advisory Amalgam Insights, tells ....
June 2, 2017
Enterprises strategizing on mobility today, including for internal collaboration, don't have the luxury of learning as they go. Tony Rizzo, enterprise mobility specialist with Blue Hill Research, expl....
May 24, 2017
Mark Winther, head of IDC's global telecom consulting practice, gives us his take on how CPaaS providers evolve beyond the basic building blocks and address maturing enterprise needs.
May 18, 2017
Diane Myers, senior research director at IHS Markit, walks us through her 2017 UC-as-a-service report... and shares what might be to come in 2018.
April 28, 2017
Change isn't easy, but it is necessary. Tune in for advice and perspective from Zeus Kerravala, co-author of a "Digital Transformation for Dummies" special edition.
April 20, 2017
Robin Gareiss, president of Nemertes Research, shares insight gleaned from the firm's 12th annual UCC Total Cost of Operations study.
March 23, 2017
Tim Banting, of Current Analysis, gives us a peek into what the next three years will bring in advance of his Enterprise Connect session exploring the question: Will there be a new model for enterpris....
March 15, 2017
Andrew Prokop, communications evangelist with Arrow Systems Integration, discusses the evolving role of the all-important session border controller.
March 9, 2017
Organizer Alan Quayle gives us the lowdown on programmable communications and all you need to know about participating in this pre-Enterprise Connect hackathon.
March 3, 2017
From protecting against new vulnerabilities to keeping security assessments up to date, security consultant Mark Collier shares tips on how best to protect your UC systems.
February 24, 2017
UC analyst Blair Pleasant sorts through the myriad cloud architectural models underlying UCaaS and CCaaS offerings, and explains why knowing the differences matter.
February 17, 2017
From the most basics of basics to the hidden gotchas, UC consultant Melissa Swartz helps demystify the complex world of SIP trunking.
February 7, 2017
UC&C consultant Kevin Kieller, a partner at enableUC, shares pointers for making the right architectural choices for your Skype for Business deployment.
February 1, 2017
Elka Popova, a Frost & Sullivan program director, shares a status report on the UCaaS market today and offers her perspective on what large enterprises need before committing to UC in the cloud.
January 26, 2017
Andrew Davis, co-founder of Wainhouse Research and chair of the Video track at Enterprise Connect 2017, sorts through the myriad cloud video service options and shares how to tell if your choice is en....
January 23, 2017
Sheila McGee-Smith, Contact Center/Customer Experience track chair for Enterprise Connect 2017, tells us what we need to know about the role cloud software is playing in contact centers today.