Mobile devices aren't going away; mobile security needs to evolve just as rapidly
All organizations know that flexibility, productivity, and personalization were drivers of the BYOD movement that started to take hold five, six years ago. Nowadays, the term is barely used, but BYOD'ing is commonplace at 99% of organizations, according to a new study conducted by IBM and sponsored by ISMG. Mobile device usage is ubiquitous, and even office-based employees reap the benefits of the ability to logon at any time from a tiny computer toted around in his or her pocket. According to the report, for which two hundred C-level security and technology leaders across all industries and geographies were surveyed, 63% of organizations allow personally-owned and enabled mobile devices and another 55% deploy corporate-owned but personally-enabled devices. Only 5% of organizations reported that mobile devices are not allowed.
This is good information, but Jason Hardy, Market Segment Manager for Mobile Security at IBM wrote, "My goal for the study was to identify if and how mobile was transforming the enterprise and what companies were doing to secure their mobile initiatives." These results are harder to discern from the data. A majority of respondents—59%—said that they derive business benefits from mobility, including enhanced productivity, but that leaves 41% of the 99% that allow mobile devices who can't report or don't know how mobility is impacting the organization. Hypothetically, even logically, mobility has transformed the way employees work. Without concrete data, though, the impact on the organization is all guesswork and speculation. Indeed, nearly three-quarters of respondents replied that they are unable to link mobile usage to any discernable changes in revenue, the primary business driver.
Business impact may not be easily quantified, but business leaders are recognizing that allowing employees to work from mobile devices opens a door to security and IT problems, not unlike other new innovations, but one that is complicated—and has been extended—by the myriad device types, platforms, and security standards of providers on the market. The most significant challenge of mobility, as reported by respondents, is a greater number of security risks and concerns than expected (63%) when deciding to employ a mobile strategy. While the data didn't specifically dive into those risks and concerns, in the survey analysis Hardy wrote that "the number one concern" he consistently hears from the market is, "How do I protect my devices? They are worried about what happens if that device is lost or stolen. What data is at risk, and what access might someone gain to their environment with that device?"
You felt like dropping in, just expecting me to be free
Backing these claims, the survey asked respondents to select the areas in which they will invest, pertaining to mobility, in 2016.
2016 Mobile Security & Business Transformation Study, IBM
More than half—54%—responded that their organizations will put money into securing the device itself and content contained on it. The largest category—access and fraud security—however is aimed at commerce conducted through a mobile device. A customer-centric approach is understandable; if customers are breached (and the incident is reported), a negative financial impact is nearly immediately felt (even if a long term effect isn't) and reputational damage can accompany a firm for years.
I grew strong, I learned how to get along
What are organizations doing to mitigate the probability of a security event? Forty-five percent of respondents said their organization has anti-virus and mobile malware detection deployed, another 42% uses mobile device management (MDM) or enterprise mobility management (EMM), and 41% have a mobile security gateway/VPN through which users must connect. Surely there is some overlap between categories, with the most mature organizations deploying a combination of security protocols.
Staggeringly, though, more than half of the organizations said they are unaware of a mobile-related incident in the past year. This doesn't mean one didn't happen, it just means that the person answering the survey doesn't know if it (or multiple "it"s?) did. Less than a quarter of respondents answered that they could claim data loss from a mobile security incident, and even fewer said that they can attribute data leakage or unauthorized mobile access to enterprise applications or files.
Taking this data at face value, organizations have a great chasm to cross in terms of how to handle mobile device security. Yes, we've come a long way since the late 1990s, but a lot of old tricks are still used to manage these ever-evolving devices, and surely it won't be long until incidents attributed to poor mobile device security will become prevalent.