Mobile security was the greatest concern among
SearchMobileComputing.com members when it comes to devices that
attach to the network.
The 540 survey respondents included consultants, midlevel IT
managers, network engineers, IT executives, non-IT business
managers, non-IT business executives, telecommunications managers,
mobile support staff, midlevel network managers, network architects
and mobile managers.
A whopping 179 respondents, 34%, said network security was the
biggest issue they would face as more and more devices and users
require anywhere-access to network resources. Coming in at a strong
second was concern over the data stored on mobile devices, which
28%, or 147 respondents, said would be the biggest hurdle they face
as mobility grows within their organizations.
On its face, those numbers are nothing startling. Mobile
managers and IT pros have long voiced concern over the new security
vectors that can be introduced to an enterprise when mobility comes
in to play. But digging a bit deeper into the survey results
reveals that while security is mentioned as a top concern, very
little is being done to protect the network and the devices that
connect to it.
"Actions speak louder than words," said Farpoint Group principal
Craig Mathias, noting that companies will say mobile security is a
major concern, but few implement the policies, tools and procedures
to lock down a mobile deployment. Typically, Mathias added,
companies are paying lip service, saying security is a concern
because they feel they have to, but when it comes down to it
nothing changes. "Yeah, it's important, but we're not doing
anything about it."
Jack Gold, principal and founder of J.Gold Associates LLC, a
mobility research and advisory firm, echoed Mathias.
"They know. They care. But that doesn't mean they're doing
anything about it," Gold said. "They know [security is] an issue.
They know it's a problem. Sometimes they don't know what to do
about it and other times they just have too many other things going
on to do anything about it."
Additional survey results confirm that point. More than half of
the respondents said they don't have a mobile security policy, have
a security policy that is not enforced, or don't know whether a
security policy is even in place. Among respondents, 42%, or 225,
said there is an enforced security policy within their
organizations. The remainder, however, said no policy is in place,
a policy is in place and not enforced, or they didn't know whether
their organization had a security policy.
"Security is an issue and will obviously remain an issue,"
Mathias said. "But mobile security is a painful thing. What we're
trying to do is keep the bad guys off the network and make sure
sensitive information is never visible…"
What makes mobile security so painful, Mathias said, is similar
to that of network security or desktop security. Mobile security
costs money, but determining how much it will cost requires the
creation of a security policy to figure out what is needed.
Companies must ask themselves, "how much are you willing to
spend to protect the network and protect data?" Mathias said. "But
you won't know that without a policy."
Gold outlined several reasons why mobile security is not yet up
to snuff in many organizations. He said some are waiting for
vendors to solve the problem, many don't have the budget to spend
on security, some don't have the internal resources, and others
don't know how to solve the problem at all. Additionally, he said,
some companies have various devices deployed within an organization
and don't have the wherewithal to find an adequate solution to
cover all of the necessary bases.
"We have a gap between perception and reality here," Gold said
of the survey results. The perception is that that security is
needed, but the reality is that it isn't implemented.
"It hasn't been a major headache for most companies," Gold
continued, adding that many companies haven't yet suffered a
detrimental mobile security breach or haven't been required to
implement security measures for regulatory compliance.
Mathias said companies need a clear-cut plan that outlines what
needs to be protected, how they will protect it and what happens if
data or the network gets compromised. Then that plan has to be
communicated and strictly enforced. In some cases, it may be as
simple as allowing only enterprise-authorized or -issued devices
access to certain applications and data, such as corporate
directories. In other cases, it could mean creating an edict that
requires all device users to authenticate to the network and
applications through password protection.
But as the results of the SearchMobileComputing.com survey show,
password protection isn't all that prevalent. The survey found that
half of all respondents said their mobile security policy doesn't
require users to enable password protection or that they don't know
if password protection is in place.
The lack of password protection and enforced security policies
is particularly staggering when considering what respondents
flagged as the most important security issues they face.
Respondents were allowed to pick all security concerns that apply.
The majority of respondents, 70.19%, or 379, said mobile devices
loss or theft is their biggest security fear, while 48.70%, or 263,
were most worried about unauthorized network access.
"What this all means is that, ultimately, [companies] have to do
the same thing they did with computers," Mathias said. "But with
mobility, we're still in the 'I don't know' stage."
That "I don't know" stage is caused by companies trying to do
more with less. Devices are deployed and data is used on them and
accessed through them, but IT budgets are dropping and managers are
forced to try to work with fewer resources.
"The tools and techniques are mysterious to them," Mathias said,
calling mobile security a "black art." He added that companies are
going to incur the bulk of costs associated with mobile security
policies and deployments by educating end users and putting
mechanisms in place that end users can't work around.
"The key is going to be developing the necessary security policy
with a focus on the enterprise and putting in place the right
management capabilities," he said.