News Stay informed about the latest enterprise technology news and product updates.

CISOs fear lack of mobile device control, visibility, survey finds

Security professionals cite a lack of control and visibility into mobile devices as a major issue. Devices must be locked out of some organizations.

SAN FRANCISCO -- IT Security professionals’ mobile device security concerns are deeply rooted in the need to have visibility and control of all mobile devices attempting to connect to the corporate network, according to a survey conducted by the Ponemon Institute.

Many IT security teams are still searching for ways to better manage personally owned devices and ensure employees are following mobile security best practices. The Ponemon Global Study on Mobility Risks surveyed 4,600 IT security pros. It was released Wednesday at RSA Conference 2012.

The survey found some firms are extremely concerned with the use of recording devices, including smartphone microphones and cameras. As smartphones become thinner and more compact, denying their use in restrictive areas is becoming difficult to enforce.

Sixty-five percent of respondents are most concerned with employees taking photos or videos in the workplace, according to the survey, which was commissioned by security vendor Websense Inc. Other major concerns included the fear that employees would use their smartphones for unauthorized access to the Internet, personal email accounts or for downloading confidential data onto their devices.

“The [bring-your-own-device] BYOD phenomenon is rapidly circumventing security policies,” said Jason Clark, CSO of Websense. “It’s difficult to enforce security policies on something you do not control.”

Fifty-nine percent of respondents said their employees turn off security features, such as passwords and key locks, on laptops, USB drives, smartphones and tablets. More than half (51%) indicated they experienced data loss as a result of an employee using the devices insecurely.

Clark said many organizations are trying to take the technologies and security concepts for laptops and desktops at the endpoint and apply them to smartphones and tablets. “These are concepts that everyone has been educated on [for protecting] things and they’re trying to apply it over to something that is completely different,” he said.

Risks introduced by smartphones are being weighed with their benefits in the workplace, but the survey found it is out of the question for IT to ban employees from using smartphones. Seventy-seven percent of those surveyed indicated mobile devices are an increasingly important part of boosting employee productivity. “People view the mobile devices riskier because they have zero visibility and no endpoint security; we feel like put an agent on device and we control it and it’s a secure, and that’s a fallacy,” Clark said. “The truth is that laptops still currently pose a greater risk.”

The survey also found that the market for technologies that control and protect mobile devices is still evolving. Only 39% indicated they have the necessary security controls to address the risk, and only 45% have enforceable policies.

Kevin Mahaffey, founder and chief technology officer of Lookout Mobile Security, said his firm is primarily selling its mobile security applications to security-conscious consumers, but a recent analysis conducted by his firm was surprising because it found some enterprises encouraging employees to deploy their apps. Organizations are looking for the right mobile security technology to deploy, but so far, there hasn’t been a clear winner, he said.

“We’re at a point where everything is really just emerging and it’s moving real quickly,” Mahaffey told on Tuesday. “I’d expect to see some really interesting security technologies emerge over the next year or two that address many of the issues enterprises are having.”

View all of our RSA 2012 Conference coverage.

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.