It's not that IT pros see smartphones and tablets as disposable, exactly. It's just that the hardware is not nearly as important to the 371 business technology professionals responding to our 2014 InformationWeek Mobile Security Survey as the company data that people carry around on those devices. Securing that data is rated very important by 68%, a full 21 points ahead of securing devices themselves, using anti-malware or MDM client software. And 72% say their top mobile security concern is data compromise due to lost or stolen devices.
Our priorities are in the right place. Now we just need policies and controls to catch up. Nearly half, 46%, feel only moderately confident that their mobile security controls are effective at protecting data, and 40% worry about users forwarding corporate data to cloud-based storage services. In case you had any doubts, respondents confirm that IT consumerization is fully upon us, mostly thanks to mobility. Yet even as most companies allow -- even encourage -- employees to bring consumer mobile devices to work, enterprise security pros are still scratching their heads, wondering how best to deal with the influx.
Do we allow personal devices to access the internal network? How do we provide users with remote connectivity to collaborative resources hosted internally? Should we provide full management and configuration of employees' personal devices or look for a system that isolates and protects corporate data?
No surprise, the number of specialized vendors offering mobile device configuration and content management tools is increasing. Big players such as IBM and VMware are getting in on the action by acquisition, buying Fiberlink (MaaS360) and AirWatch, respectively.
Before selecting from among the product panoply, however, you need to wrap your head around one key concept: Data security is data security, period. Keeping corporate data safe on a user's personal mobile device isn't all that different from protecting a corporate laptop that's being used on free public wireless networks.
Remember what you're supposed to protect -- sensitive information. Work from there. Wasting time complaining about consumerization and how managing employee-owned devices is such a huge imposition is not helpful. And ignoring it is foolish. Says one survey respondent: "Many of these questions ask if we 'allow' types of behavior. We don't. However, the fact that we have nothing in place to prevent it constitutes permission."
All respondents in this year's Mobile Security Survey are involved with mobile device management, policy development, or security at their organizations, and it shows. At 76%, data security was cited as a policy driver by twice as many respondents as those saying their security policies are driven by regulatory or legal compliance, or enhancing mobility and telework. Surprisingly, only 23% cite bring-your-own-device requests as a primary driver, yet 66% of all respondents say they allow employees to use personal devices at work.
Protect data, not devices
Because IT teams are focused on data security when it comes to mobile security policies, they put an increasing importance on the management of mobile devices, mobile applications, and the content on those devices. Systems like MaaS360 and AirWatch provide the expected capabilities of managing devices and applications but have added much-needed features for managing content and access to enterprise collaboration resources.
Early mobile device management suites focused more on managing and securing the device itself. These MDM options tried to mirror what IT was used to with BlackBerry, even if it wasn't quite as granular. Basic MDM systems allow for little separation between an employee's personal data and applications and the employer's applications and data. If the device is lost or stolen, or the employee leaves under bad terms, wiping the device will destroy the personal data along with the company's data. Accidental device wipes also have been known to happen.
Companies we've worked with prefer systems that support containerization of applications and data. This approach helps prevent accidental loss of personal information because IT can do selective wiping of the container. IT can still configure and control policies and device-wide settings, but company email, files, and calendars are in an MDM-specific application. And all content within the container can be encrypted.
Among survey respondents, nearly half don't allow corporate data to be stored on personally owned mobile devices. Of those that do, 33% require that the data be within a container. We expect that percentage to rise, because IT wants to control data and guarantee encryption, no matter if the device runs Android or iOS.
Theft or loss isn't the only threat to company data stored on mobile devices. We've seen a large increase in mobile malware each year for the last several years. While it's possible for devices to pick up malware via drive-by downloads and plugging into infected computers, most malware comes from app stores and gets installed by unsuspecting users.
It's for this reason that the majority of survey respondents restrict what apps can be installed on mobile devices. For company-owned devices, 18% allow personal apps to be installed as long as they're on an approved list, 32% have the ability to enforce a blacklist, and 26% allow app installation with no restrictions. Policies for employee-owned devices are similar with one exception: Survey participants are more likely to allow users to install personal applications when they own the device.