CIOs See Smartphones As Data Breach Time Bomb

Strategic Security Survey: Global Threat, Local Pain

Eight out of 10 CIOs think that using smartphones in the workplace increases the business's vulnerability to attack, and rank data breaches as their top related security concern. Yet half of organizations fail to authenticate their employees' mobile devices, among other basic security measures.

Those finding come from a report released Wednesday conducted by market researcher Ovum together with the European Association for e-Identity and Security (EEMA).

The study found that the so-called consumerization of enterprise IT, meaning employees who bring ostensibly consumer devices to work, continues at full pace. According to the report, 48% of employees are allowed to use mobile devices that they own to connect to corporate systems. Meanwhile, 70% of employees can currently use corporate-owned computing devices for personal activities.

"Employees will want to use their devices, no matter who owns them, for both their work and personal lives," said Graham Titterington, a principal analyst at Ovum, in a statement. "It is unrealistic to delineate between these uses for employees who are mobile and working out of the office for a large part of their time."

Interestingly, 90% of organizations provide -- or will soon offer -- mobile devices to their employees. A majority said those devices would be BlackBerry smartphones, which mirrors the continuing market dominance of the BlackBerry platform -- with a 37% market share, ahead of Apple (24%) and Android (21%).

But mobile device security controls remain a weak point, with only half of organizations authenticating their mobile device users. Among those, about two-thirds rely on usernames and passwords, while 18% use public key infrastructure (PKI) certificates, and only 9% employ two-factor authentication with one-time passwords. Furthermore, only about 25% of organizations ensure that employees' mobile devices are running antivirus and anti-malware software.

"As this new study bears out, putting a smartphone security strategy in place is now a business imperative," said Roger Dean, director at EEMA, in a statement. "But how many organizations have the in-house expertise required to develop and implement a mobile strategy that fits seamlessly with their overall security profile?"

According to Titterington, "organizations must establish a holistic security strategy that addresses the consumerization of this fast-growing channel into corporate networks and data."