The Information Security LinkedIn group released a new survey from its 200,000-member community on the state of bring-your-own-device (BYOD) and mobile security initiatives in their enterprises. We provide our take on some of the findings from this comprehensive survey‘s 1,100 responses.
To BYOD or Not?
According to the survey, over 60 percent of enterprises allow or tolerate employee use of personal devices to access enterprise data. Only a small minority of enterprises, 11 percent, have no plans to allow such usage. Enterprises that allow BYOD expect the primary benefits to be improved employee productivity and satisfaction and better overall security, and 58 percent expect related budgets to increase or stay flat.
Our Take: Device ownership is destined to become a nonissue, and IT organizations must adopt new capabilities to secure enterprise applications and data on a shared personal or corporate data device. Enterprises are embracing BYOD programs as an opportunity to invest in the secure productivity of their employees as opposed to a “cost of doing business.” Securing corporate data without making assumptions on device security makes enterprises less complacent and more rigorous in assessing and addressing security risks.
Enable Flexible Data Access
According to the survey, email access allowance is still king at 86 percent of responses, followed by access to documents, custom mobile applications and cloud services. Overall, structured data in enterprise databases is still deemed most valuable, with unstructured data a close second.
Our Take: Our devices enable access to critical enterprise resources. Sensitive data and transactions are accessed, stored locally and exchanged not only with data center apps, but also third-party services. BYOD enables a “personal” device image, but enterprises must take steps to secure local app execution, encrypt enterprise data where applicable and detect access and transactional risk.
Data Loss Doesn’t Equal Device Loss
The biggest mobile security risk, according to the survey, is losing enterprise data. In essence, the risk categories can be divided into three main areas: data (stolen, lost, unauthorized access), threat (fake apps, malware, exploits) and management (endpoint security, regulatory compliance).
Our Take: Enterprises must address each of these three dimensions through a holistic framework. Many enterprises have made progress on addressing the “lost device” scenario and data-loss risk with enterprise mobility management suites that enable a remote wipe of enterprise data from mobile devices. However, securing devices against compromise has a long way to go; this is partly due to the restrictions enforced by mobile OS vendors on the security community, which limits the ability to secure mobile platforms.
Mobility Impact: Tools and Resources
Enterprises are investing in resources (mostly security personnel) and tools (mobile device management and endpoint security solutions) to address the emerging mobile threats.
Our Take: Enterprises are taking steps to reduce mobile-related security risks. To minimize the burden, such resource allocation should occur in the context of a comprehensive plan that addresses enterprise-specific risk factors. For example, banks that provide online banking services to customers must address transactional risk from both laptops and mobile devices that they have absolutely no control over. Malware and phishing risks that are common to that environment should be assessed when new capabilities are rolled out (e.g., remote deposit capture).
Reducing Attack Surface: Beyond the Basics
Simple steps are the easiest to implement. Most enterprises require password protection to devices accessing enterprise data; this will deter the occasional thief but is probably no match for a focused adversary. Encryption and remote wipe provide additional layers of security.
Our Take: While these measures are a good start, security should be embedded in the enterprise mobility initiatives. For example, secure development practices and mobile penetration testing will reduce vulnerabilities that can be exploited by malware, thus reducing the attack surface. While the malware threat has quickly grown, its capabilities have slowly evolved on mobile devices. Recent developments should drive security teams to reassess the threat and the possible impact of credential loss on their enterprise security.
The survey shows enterprises’ increasing readiness to embrace BYOD programs. Enterprises are making investments in people and tools to manage the key risks to enterprise resources (applications and data), driven by mixing corporate and personal data and the evolving threat landscape. The business rationale for these investments is boosting employee productivity while improving security as a broader set of risks is taken into consideration; this is a no-brainer since we expect BYOD to become table stakes for virtually all enterprises in the next few years. Given the utility and importance of mobile devices to employees’ personal and work lives, this looks like a sound investment.