SearchSecurity.com polled 768 IT and security professionals in April 2013 and the data clearly indicates that the challenges of securing a multi-device environment continue to mount. While shifting IT assets outside of the firewall can help companies to lower costs, roughly 60% of the Enterprise Mobile Security Survey 2013 respondents believe mobile devices present more risk to their organizations compared to Q2 2012.
About 30% of respondents do not see higher risk, while 13% said they don’t know.
The consumerization of IT isn’t slowing down as more employees use personally-owned devices to access corporate data and applications. But a surprising finding in our 2013 survey was how many companies no longer even issued mobile devices outside of traditional laptop computers, sliding from 83% in our Enterprise Mobile Security Survey 2012 to 65% (Figure 1).
Despite growing concerns over mobile security, only 60% of respondents indicated that their organization required security technologies on mobile devices. In the group that did, the security initiatives ranked as follows: access control (67%), authentication (57%), encryption (53%), remote wipe (44%), antimalware (44%), PIN enforcement (42%), remote lock (39%), Microsoft ActiveSync (38%), remote access VPN (37%), mobile device management (36%), policy configuration and enforcement (34%), application control (30%), app store restrictions (29%), remote software distribution (23%), blacklist capabilities/data containment (23%), jailbreak detection (21%), GPS tracking (19% ) and whitelist capabilities (14%). Perhaps, more alarming is the 40% of organizations, according to those surveyed that don’t require use of security technologies on mobile devices.
The challenges of taming multi-device environments are quickly becoming the norm, however. About half of survey respondents (49%) indicated that their organizations applied unique security policies and controls for each mobile platform, with Apple iOS and Google Android topping the list of mobile platforms supported on non-company issued devices (Figure 2). Less than half (43%) of those surveyed did not have different security policies based on mobile operating systems.
At the same time, 43% of organizations required employees to sign a consent document that grants the employer at least limited control over any personally owned device that accesses corporate systems or data, while 57% did not have any such policy. About half the respondents said that their employers allow non-company mobile devices to access the corporate network and data (Figure 3).
App security better than desktop
What types of applications do employees access via personally-owned mobile devices? According to survey respondents, 79% use personal email, instant messaging and chat applications; 68% use Web browser and productivity applications, such as Microsoft Office; 59% access social media; 49% access the corporate intranet and 41% use corporate applications.
Securing the application layer has received a lot of attention in 2013 as more mobile application management systems and related technologies emerge. Problems persist with device data leakage, including apps that request too many permissions (e.g., access to contacts) or hook into other areas on the device. Half of survey respondents indicated that their company is putting more resources —money and staff hours—into mobile application security in 2013, compared to Q2 2012. But almost one-third (29%) of organizations do not have plans to put more resources towards mobile app security, and one-fifth didn’t know. These developments coincided with the heightened focus on mobile app security and operating systems in April, as Facebook blurred the lines when it rolled out its new apperating system, Facebook Home (built on the Google Android OS).
So what’s changed? In our 2012 survey, the top five mobile security concerns ranked as follows: device loss, application security, device data leakage, malware attacks and device theft. This year device data leakage ranked first (45%), followed by unauthorized access (41%), device loss/theft (40%), application security (38%) and compliance and malware attacks (28%) tied for fifth—when respondents were asked to select their organizations’ top three mobile security concerns—as shown in Figure 4.
Not surprisingly, mobile identity and access management is high on the list of enterprise mobile security concerns, even though vendors of classic identity and access management systems are attempting to extend the functionality. According to this year’s survey, all the employees at 28% of the organizations have access to corporate network/data resources such as email, applications or customer data; more than half of the employees have access at 29% of the organizations; and less than half have access at 35% of the organizations. None have access at 2% of the organizations, and 6% of respondents indicated that they don’t know. ( See Figure 5 for types of data access on personally-owned devices.)
Data loss continues to rank as the top threat in enterprise mobile security on all sides with device data leakage and device loss and theft, among the common problems. Of particular concern for many companies is how data is handled when users switch phones or leave the organization. Despite these security threats, backups on non-company issued devices at the majority of organizations (70%) are never required, according to survey respondents. Of the 30% that do demand backups on employee-owned devices, 12% required it daily, 11% weekly, 5% monthly, 2% hourly, and 1% of organizations limited the personal device backup requirements to quarterly.
At the same time, 44% of organizations allow users to access app stores on company-issued mobile devices and freely download apps; however, our survey data indicates that’s a considerable decline from the 52% of companies that followed this practice in 2012. One-fifth of companies in 2013 permitted their employees to download approved app stores and applications. About one-third of organizations (36%) do not sanction any app downloads on company-issued devices.
With close to 30% of organizations posing app store restrictions, according to our Enterprise Mobile Security 2013 survey, it’s not surprising that 16% of respondents indicated that their organizations planned to build their own app stores.
By 2014, employee devices will be compromised by malware at more than double the rate of corporate-driven devices, according to Gartner. So far that hasn’t happened; despite industry warnings that hackers go where the opportunity lies. From a software publisher’s standpoint, it’s a lot easier to write secure code for modern mobile platforms such as Apple iOS and Google Android than it is to sandbox programs and data, for example, on legacy desktops.
“Historically, Apple iOS has been proven to have the right mix of policy, process and technology to make the bad guys avoid it,” said Brad Arkin, chief security officer, Adobe Systems.
“With Android, I think its weaknesses are also its strengths,” he said. “Because it’s so open, bad guys can use side-loading mechanisms and trick people into loading something malicious, but at the same time that openness allows [organizations] like the NSA to put together a secure version of Android including a secure broadband connection back to the mothership,” he continued. “Android also allows you to do security monitoring software, which is not possible on iOS.” Of course, Android security depends on several factors—platform flavor, hardware, updates and what kind of app stores you are using, noted Arkin.
“I don’t think the desktop attack vector of going after people through email and browsers is going to be a near-term problem for mobile devices just because the attack surface is very different, and it’s not as attractive for the bad guys,” he added.
Android is often viewed as an easier malware target because it exposes native APIs, but mobile platform breaches overall remain rare. Even so, 65% of security professionals in our Enterprise Mobile Security 2013 survey viewed the Android platform as carrying some level of risk. According to those surveyed, 38% of respondents indicated that the Android platform presented “some risk” to enterprises; 23% considerable risk, 4% an unacceptable level of risk, 16% no notable risk and 19% had no opinion Figure 6 details which mobile threats respondents felt posed the greatest risk to their organizations.
While mobile malware has yet to cause significant problems, mobile device security policies may not be keeping pace with the rapid developments in enterprise mobility. One-fifth of respondents claimed that their organizations didn’t have mobile device security policies. What?!
Of the organizations that did, close to half (44%) do not require employees to read and sign the documentation.
On a positive note, more than half (56%) indicated that their organization required employees to read and sign the company’s mobile device security policy, but that’s a significant drop from the 81% that reported that requirement in our Q2 2012 survey.
As BYOD continues to take hold, Gartner expects more companies to follow the college and university models by enforcing mobile security policies that govern network access instead of controlling personally-owned devices.
Mobile device policy updates
In organizations with mobile device policies, 26% have updated these documents in the past year, 14% within the past three months, 7% within the past 30 days, 6% within the past two years and 4% in the past three years or more.
The biggest drivers of recent mobile security device policy updates, according to the Enterprise Mobile Security 2013 Survey: to satisfy internal corporate requirements (20%), address new threats (17%), manage new devices (15%) and compliance (11%). However, 13% of respondents indicated other, while 59% didn’t know.
Despite indications of a mobile tipping point, executives remain more involved in general IT security decisions and policies, according to those surveyed, as shown in Figure 7.
Finally, which top three mobile security technologies did security professionals expect their organizations to spend more on this year (compared to Q2 2012)? One-third of respondents selected access control; one-quarter said data loss prevention and authentication; followed by antimalware (22%) and encryption (20%) to round out the top five. Mobile device management (18%) finished sixth. Other security initiatives where respondents expected their organizations to increase spending in 2013 include: remote access VPN (15%), application control (12%), remote wipe (12%), policy configuration and enforcement (11%), ActiveSync (11%), and data containment (11%).
In our 2012 survey, roughly half of respondents honed in on the top five: authentication topped the list (53%), followed by data loss prevention (51%), access control (50%), encryption (45%) and remote wipe (41%). What a difference a year makes.
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.