July 16, 2014 By Yishay Yovel 3 min read

The Information Security LinkedIn group released a new survey from its 200,000-member community on the state of bring-your-own-device (BYOD) and mobile security initiatives in their enterprises. We provide our take on some of the findings from this comprehensive survey‘s 1,100 responses.

To BYOD or Not?

According to the survey, over 60 percent of enterprises allow or tolerate employee use of personal devices to access enterprise data. Only a small minority of enterprises, 11 percent, have no plans to allow such usage. Enterprises that allow BYOD expect the primary benefits to be improved employee productivity and satisfaction and better overall security, and 58 percent expect related budgets to increase or stay flat.

Our Take: Device ownership is destined to become a nonissue, and IT organizations must adopt new capabilities to secure enterprise applications and data on a shared personal or corporate data device. Enterprises are embracing BYOD programs as an opportunity to invest in the secure productivity of their employees as opposed to a “cost of doing business.” Securing corporate data without making assumptions on device security makes enterprises less complacent and more rigorous in assessing and addressing security risks.

Enable Flexible Data Access

According to the survey, email access allowance is still king at 86 percent of responses, followed by access to documents, custom mobile applications and cloud services. Overall, structured data in enterprise databases is still deemed most valuable, with unstructured data a close second.

Our Take: Our devices enable access to critical enterprise resources. Sensitive data and transactions are accessed, stored locally and exchanged not only with data center apps, but also third-party services. BYOD enables a “personal” device image, but enterprises must take steps to secure local app execution, encrypt enterprise data where applicable and detect access and transactional risk.

Data Loss Doesn’t Equal Device Loss

The biggest mobile security risk, according to the survey, is losing enterprise data. In essence, the risk categories can be divided into three main areas: data (stolen, lost, unauthorized access), threat (fake apps, malware, exploits) and management (endpoint security, regulatory compliance).

Our Take: Enterprises must address each of these three dimensions through a holistic framework. Many enterprises have made progress on addressing the “lost device” scenario and data-loss risk with enterprise mobility management suites that enable a remote wipe of enterprise data from mobile devices. However, securing devices against compromise has a long way to go; this is partly due to the restrictions enforced by mobile OS vendors on the security community, which limits the ability to secure mobile platforms.

Mobility Impact: Tools and Resources

Enterprises are investing in resources (mostly security personnel) and tools (mobile device management and endpoint security solutions) to address the emerging mobile threats.

Our Take: Enterprises are taking steps to reduce mobile-related security risks. To minimize the burden, such resource allocation should occur in the context of a comprehensive plan that addresses enterprise-specific risk factors. For example, banks that provide online banking services to customers must address transactional risk from both laptops and mobile devices that they have absolutely no control over. Malware and phishing risks that are common to that environment should be assessed when new capabilities are rolled out (e.g., remote deposit capture).

Reducing Attack Surface: Beyond the Basics

Simple steps are the easiest to implement. Most enterprises require password protection to devices accessing enterprise data; this will deter the occasional thief but is probably no match for a focused adversary. Encryption and remote wipe provide additional layers of security.

Our Take: While these measures are a good start, security should be embedded in the enterprise mobility initiatives. For example, secure development practices and mobile penetration testing will reduce vulnerabilities that can be exploited by malware, thus reducing the attack surface. While the malware threat has quickly grown, its capabilities have slowly evolved on mobile devices. Recent developments should drive security teams to reassess the threat and the possible impact of credential loss on their enterprise security.

Download Full Report: BYOD & Mobile Security Survey

Summary

The survey shows enterprises’ increasing readiness to embrace BYOD programs. Enterprises are making investments in people and tools to manage the key risks to enterprise resources (applications and data), driven by mixing corporate and personal data and the evolving threat landscape. The business rationale for these investments is boosting employee productivity while improving security as a broader set of risks is taken into consideration; this is a no-brainer since we expect BYOD to become table stakes for virtually all enterprises in the next few years. Given the utility and importance of mobile devices to employees’ personal and work lives, this looks like a sound investment.

BYOD & Mobile Security Report from Holger Schulze

 

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today