Enterprise users conduct an increasing amount of work on personal mobile devices, according to a new survey, despite growing concern among enterprise security teams that bring your own device (BYOD) usage puts sensitive data in peril.
For its newly released survey, "Security in the New Mobile Ecosystem," the Ponemon Institute surveyed more than 600 IT practitioners who are involved in securing and managing mobile technology at their respective organizations. Out of those respondents, 40% said that as many as one-fifth of employees in their organizations use mobile devices exclusively to do their jobs.
Of those surveyed, 31% predicted that in the next 12 months, mobile devices would become the exclusive business computing devices of a majority of employees. The typical organization in the survey supports around 20,000 employee-owned devices, but that number is also expected to rise to an average of 28,000 devices by next year. The most frequently performed work tasks on mobile devices included business email, calendaring and texting.
Between the perceived productivity gains and the real cost savings provided by BYOD, Ashok Sankar, vice president of cyber strategies at Waltham, Mass.-based Raytheon Co., which sponsored the Ponemon report, said that it is unsurprising to see enterprises encourage employees to use personal devices more in the workplace because of the numerous business benefits. However, those business benefits can't be an excuse for ignoring enterprises BYOD security concerns, said Sankar, which is what slightly more than half of respondents said their organizations do on a frequent basis.
"There's all these devices coming in," said Sankar, "but there is no central strategy of how they're going to bring in mobility and address these mobile security challenges."
Bigger budgets, better technologies needed for mobile device security
Though security is often sacrificed for productivity gains, respondents to the Ponemon survey highlighted two key areas that sink current BYOD security concerns: insufficient budget to secure mobile devices and a general dissatisfaction with current mobile device security technologies.
Among those surveyed, the cost of managing and securing mobile devices varied greatly depending on the size of an organization. Those enterprises that manage more than 50,000 devices spend on average less than $100 per device annually on BYOD security, while those managing fewer than 250 devices spend more than $600 per device annually. The average across all organizations was $278 per device, but despite spending a sizable chunk of money per year securing devices that technically don't belong to the business, only 36% of those surveyed felt that they had the adequate budget to effectively mitigate mobile security threats like malware infections, device theft or loss, and negligence by end users.
"Mobile devices are considered big threat vector for enterprises, but budgets are lacking," said Sankar. "So there is an imbalance."
Those budgetary concerns likely explain why 30% of respondents admitted to having no BYOD security technologies in place, but many of those organizations with money to spend on BYOD security concerns indicated that the products available on the market today are insufficient.
Among the most popular technologies used by surveyed organizations were mobile device management (MDM) suites, secure containers and encryption for stored or transmitted data, each of which was used by one-third or more of respondents. However, 50% of participants said they were not satisfied with the technology they use to secure employees' mobile devices.
As for what respondents would like to see in the mobile device security market, 57% indicated that it was important to have some form of mobile virtualization in place so that sensitive enterprise data would reside and be accessed somewhere outside of the device itself, a move that Sankar said would essentially turn mobile devices into thin clients.
Outside of the tech itself, Sankar emphasized that there are strategic maneuvers that organizations can make to improve BYOD security. For one, he said enterprises must transition to a model where mobile devices are managed centrally rather than on a department or individualized basis. As part of that transition, organizations should rethink any data classification that has already been performed to determine what data is too sensitive to go on to mobile devices, and what data an organization can afford to lose.
Enterprises should also focus on educating users about the risks that accompany the use of personal devices in work settings, Sanker said, as well as the responsibilities employees have to secure work data. This is especially important, he added, because so many users push back against any BYOD security measures. In fact, 56% of respondents to the Ponemon survey cited employee resistance as a major barrier to an effective mobile security strategy.
"'I'm going to give you the flexibility to use the device that you want, but with flexibility comes responsibility,'" Sankar said. "That aspect needs to be addressed."
Learn how to balance BYOD security risks with the business rewards.
Can VDI solve BYOD security issues? Resident platform security expert Michael Cobb discusses.