Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Risky mobile behaviors routine in business

Like it or not, iPads, iPhones and Android devices are making their way into enterprises, and while a vast majority of organizations have policies around mobile device use, risky behaviors are still commonplace, according to a report released Tuesday by McAfee and Carnegie Mellon University.

The report, which focused on the consumerization of IT and its impact on security, found that there is a “serious disconnect” between policy and reality in the mobile computing environment within the enterprise. A survey of more than 1,500 mobile device end-users and senior IT decision-makers, conducted by research firm Vanson Bourne, on behalf of McAfee and Carnegie Mellon, found that 95 percent of organizations have mobile security policies in place. Only one in three employees are very aware of such policies, however.

“This means that unmanaged and unsecured devices predominate, even as the mobile device population continues to grow,” David Goldschalg, vice president of mobility at McAfee, told SCMagazineUS.com in an email Wednesday.

Despite having policies around mobile device use, most organizations' mobile security postures are weak, the survey found. Approximately half of users keep passwords, PIN codes or credit card details on their mobile devices, for example. Further, one in three employees use their device to store sensitive work-related information.

According to the survey, 63 percent of mobile devices on corporate networks are used for both business and pleasure.

“Devices are no longer consumer devices or business devices,” the report states. “They are both.”

From a threat perspective, lost and stolen mobile devices are the greatest concern for IT professionals and end-users, the survey found. Forty percent of organizations have had a mobile device lost or stolen in the past. Moreover, half the devices that have gone missing contained business-critical information. And, more than a third of mobile device losses had a financial impact on the organization.

On a more positive note, however, such incidents are prompting some enterprises to place a greater emphasis on mobile security, according to the survey. Two-thirds of companies that had a mobile device lost or stolen have increased their device security due to the incident.

Despite the risks, smartphones and tablets undoubtedly allow employees to be more efficient and effective. Consequently, reliance on such technologies is significant and growing, the survey found. Nearly half of respondents said they are very reliant on mobile devices, and 70 percent said they are more reliant now compared to 12 months ago.

Given employees' growing dependence on mobile devices, security practitioners should embrace consumerization instead of trying to fight it, and look for ways to enable and secure employee-owned technology, McAfee researchers recommend. Specifically, enterprises must educate employees about mobile risks and threats through employee agreements and training sessions. To better protect data stored on smartphones and tablets, organizations should apply data leakage processes and mechanisms to the mobile environment.

“Education and responsibility are very important, especially as the BYOD (bring-your-own-device) model starts to dominate,” Goldschalg said. “Users have a responsibility to their employer to protect corporate data, and have to be an active partner in that process.”

In addition, security practitioners should start thinking more about the risks of mobile applications, which Goldschalg predicted will "explode, especially around Android."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.