A study found that mobile device security is sacrificed for productivity in the workplace.
A study found that mobile device security is sacrificed for productivity in the workplace.

Productivity is driving the use of mobile devices in the workplace, and a recent poll of IT and IT security pros found that one-third of employees use the devices exclusively for work – a figure expected to rise to 47 percent in the next year.

The Ponemon Institute queried 618 practitioners who by and large (52 percent) believe that security is sacrificed for productivity. That “security is being compromised and circumvented” is not surprising considering end user negligence is among the top three concerns of enterprise security professionals, Ashok Sankar, vice president of Cyber Strategies at Raytheon, sponsor of the study, told SCMagazine.com in a Monday interview. “It's at the top of the list. It's huge,” he said.

But Sankar was surprised that that mobile device use was so high—“it shows you how much penetration these devices have in the enterprise,” he said—although the continued uptick is in keeping with workers' continued reliance on mobile apps, part of the BYOD phenomenon, to allow them greater flexibility to do their jobs.

The proliferation of, and reliance on, mobile devices (those surveyed said “40 percent of employees access business applications from personally owned mobile devices”) in the workplace, though, creates a special set of challenges for organizations and the IT security practitioners charged with protecting them. Among them,  the sheer number of devices that a security group must manage. According to Sankar, the typical enterprise represented in this study, "Security in the New Mobile Ecosystem," must manage an average of 20,000 mobile devices, a number that should balloon to 28,000 over the next year.

While volume is on the rise, budgets are not. Only a little over a third, 36 percent, of the study respondents said they have an adequate budget ($278 per device, or $5.5 million, annually) for dealing with the rise of mobile devices. And many believe their organizations don't do enough—with 30 percent saying their companies don't have any mobile strategies in place.

“When you dig deeper, most companies don't have a cogent mobile strategy,” said Sankar, explaining that a mobile strategy “can't be buried in a budget somewhere.” He also noted that accountability typically is dispersed throughout the enterprise. “There's not one owner, the responsibility is shared.” Indeed, 24 percent of those surveyed say mobile is a shared responsibility within their organizations and 23 percent said accountability lies with senior management within lines of business. The chief information officer is responsible in 21 percent of the companies in the survey, senior management in 22 percent, and the CISO in 19 percent.

Exactly half of the respondents, too, said they “are not satisfied” with the mobile security solutions that their companies use.

But possibly the biggest obstacle that IT security meets is user resistance. BYOD has turned the security paradigm on its head. Where IT once dictated to users what they could do, users are now calling the shots and, swayed by the convenience and flexibility of mobile connectivity, 52 percent “ frequently sacrifice security practices to realize the efficiency benefits,” the study revealed.

What's needed, said Sankar, is a “two-way conversation” to develop a strategy that preserves the user experience but adheres to important security tenets. “At the end of the day, it is the data that matters,” he said, explaining that security measures have mostly been aimed at the devices themselves. Organizations and their employees need to understand “what data is critical” and come to an agreement on which data can't be shared, or at least can't be shared under certain circumstances (over insecure WiFi in an airport in the middle of the night, for example).

Sankar is advocating for what Raytheon has dubbed virtual mobile infrastructure (VMI), which means taking a native app and securing it in a cloud or data center on the back end then redisplaying on a mobile device. “The device then becomes a thin, mobile client,” said Sankar. And users are free from the constraints of optimized Windows apps. He expects native mobile app use to rise from 37 percent currently to 50 percent within the next year.