The State of Mobile Security
We just posted the InformationWeek 2013 State of Mobile Security Report, and got a good look at how users are dealing (or "not dealing") with the security challenges of the BYOD era. The report is based on a survey of 424 IT professionals, all of whom are involved with mobile device management, policy development and/or security at their respective organizations.
The first point that became clear was that BYOD is forging ahead, with 68% of respondents now allowing employees to use their personally owned devices for work; that's up from 60% last year. Another 20% are developing a BYOD policy, so fairly soon 88% of organizations will be supporting BYOD in some form.
Surprisingly, when we asked the percentage of company-provided versus personally-owned mobile devices accessing corporate email, we found that 60% were still company-provided. It will be interesting to see how that changes next year.
Security was our main focus, and we asked users to identify their top three mobile security concerns. "Lost/stolen devices" led the list of concerns, with 78% citing it, followed by "Users forwarding corporate information to cloud-based services" (36%) and "Mobile malware in apps from public app stores" (34%).
Surprisingly the security of the corporate Wi-Fi network is still a concern for almost a third of respondents, despite the fact that security options like WPA2 encryption and 802.1x authentication have been around for years. However, while our respondents had "concerns", they did not appear to be taking adequate measures to address them.
To protect corporate data stored on mobile devices that go missing, the data needs to be encrypted, have a strong password to access it, and the ability to remotely wipe the data. Policies involving on-device encryption were all over the lot. My recommendation would be "Hardware encryption, period" but that was selected by only 13% of respondents. The most often selected response, with 51%, was "Varies by device type, ownership or approved use"; multiple responses were allowed. Frankly, it doesn't matter who owns the device, data security is still a core IT responsibility.
With passwords, we found that 55% of respondents required a password to access the corporate data, and another 46% required a power-on password (multiple responses were allowed). Some 34% used on-device certificates and 19% required secure tokens, virtually the same percentages as a year ago.
None of the more "exotic" authentication mechanisms like pattern recognition, biometrics, or facial recognition came close to 10%. Cellular callback systems like Microsoft's PhoneFactor scored a mere 3%. Also, 36% reported using a virtual desktop solution like Citrix or VMWare for at least some of their mobile devices.
The real key to enforcing security policies is to employ a mobile device management (MDM) system. While 88% of organizations now or soon will allow BYOD, only 39% report having an MDM platform in place, though another 33% plan to implement one within the next 24 months. Some 21% use Microsoft's Exchange ActiveSync for basic policy enforcement and remote wipe capability. For 45% of respondents, the mobility policy allows users to bring in personal devices so long as they agree to follow certain policies; 9% allow personally owned devices with no restrictions at all. One axiom in security is "trust but verify"; this looks a lot more like "trust and pray."
The other glaring deficiency is in protection from mobile malware, particularly on the Android platform. McAfee reports it now has 50,926 mobile malware instances on file, up from just 792 in 2011. Despite that, 42% of respondents do no malware scanning whatever and 35% scan for malware on at least some platforms--hopefully Android is on that list. Only 23% scan for malware on all platforms.
User preferences in mobile devices are clearly shifting as well. While Gartner puts Android's worldwide market share at more than three times that of Apple's iOS, the iPhone still leads in the enterprise with an average of 50% of the personally owned and 40% of the company-provided units; Android comes in second for total units with 27% of the company-provided and 34% of the personally-owned devices. BlackBerry represents 27% of the company-provided devices, but only 6% of the personally-owned units. After those three, shares drop off abruptly. Windows Mobile represents 3% of the company-provided devices, and 2% of the personally-owned units, and Windows Phone had 3% each of the company-provided devices and personally-owned units.
Having worked with clients in developing mobile policy and security plans, I can assure you there are steps that can be taken to implement very good security on mobile devices, both company-provided and personally-owned. Reading through the results of this year's survey, I got the distinct feeling that mobile security was getting short shrift in too many organizations. We found that 45% of respondents didn't include mobile security in their general security awareness training or didn't have a security awareness training program at all.
Besides the lack of budget and resources, one thing working against us, ironically, is that we haven't yet had a major security breach that was tied to a lost or stolen smartphone or tablet. However, one front-page story in the Wall Street Journal could change that in a hurry. In the meantime, the mobile security bomb seems to be ticking, and we just hope it doesn't have our name on it.