Mobile security top concern, but policy isn't enforced

Mobile security topped the mobility issues companies face, but results of a survey found many organisations are not putting security measures and policies in place.

Mobile security was the greatest concern among members when it comes to devices that attach to the network.

The 540 survey respondents included consultants, midlevel IT managers, network engineers, IT executives, non-IT business managers, non-IT business executives, telecommunications managers, mobile support staff, midlevel network managers, network architects and mobile managers.

A whopping 179 respondents, 34%, said network security was the biggest issue they would face as more and more devices and users require anywhere-access to network resources. Coming in at a strong second was concern over the data stored on mobile devices, which 28%, or 147 respondents, said would be the biggest hurdle they face as mobility grows within their organizations.

On its face, those numbers are nothing startling. Mobile managers and IT pros have long voiced concern over the new security vectors that can be introduced to an enterprise when mobility comes in to play. But digging a bit deeper into the survey results reveals that while security is mentioned as a top concern, very little is being done to protect the network and the devices that connect to it.

"Actions speak louder than words," said Farpoint Group principal Craig Mathias, noting that companies will say mobile security is a major concern, but few implement the policies, tools and procedures to lock down a mobile deployment. Typically, Mathias added, companies are paying lip service, saying security is a concern because they feel they have to, but when it comes down to it nothing changes. "Yeah, it's important, but we're not doing anything about it."

Jack Gold, principal and founder of J.Gold Associates LLC, a mobility research and advisory firm, echoed Mathias.

"They know. They care. But that doesn't mean they're doing anything about it," Gold said. "They know [security is] an issue. They know it's a problem. Sometimes they don't know what to do about it and other times they just have too many other things going on to do anything about it."

Additional survey results confirm that point. More than half of the respondents said they don't have a mobile security policy, have a security policy that is not enforced, or don't know whether a security policy is even in place. Among respondents, 42%, or 225, said there is an enforced security policy within their organizations. The remainder, however, said no policy is in place, a policy is in place and not enforced, or they didn't know whether their organization had a security policy.

"Security is an issue and will obviously remain an issue," Mathias said. "But mobile security is a painful thing. What we're trying to do is keep the bad guys off the network and make sure sensitive information is never visible…"

What makes mobile security so painful, Mathias said, is similar to that of network security or desktop security. Mobile security costs money, but determining how much it will cost requires the creation of a security policy to figure out what is needed.

Companies must ask themselves, "how much are you willing to spend to protect the network and protect data?" Mathias said. "But you won't know that without a policy."

More on mobile security
Check out a learning guide on understanding mobile security

Find out if devices should be issued, authorized or personal

Gold outlined several reasons why mobile security is not yet up to snuff in many organizations. He said some are waiting for vendors to solve the problem, many don't have the budget to spend on security, some don't have the internal resources, and others don't know how to solve the problem at all. Additionally, he said, some companies have various devices deployed within an organization and don't have the wherewithal to find an adequate solution to cover all of the necessary bases.

"We have a gap between perception and reality here," Gold said of the survey results. The perception is that that security is needed, but the reality is that it isn't implemented.

"It hasn't been a major headache for most companies," Gold continued, adding that many companies haven't yet suffered a detrimental mobile security breach or haven't been required to implement security measures for regulatory compliance.

Mathias said companies need a clear-cut plan that outlines what needs to be protected, how they will protect it and what happens if data or the network gets compromised. Then that plan has to be communicated and strictly enforced. In some cases, it may be as simple as allowing only enterprise-authorized or -issued devices access to certain applications and data, such as corporate directories. In other cases, it could mean creating an edict that requires all device users to authenticate to the network and applications through password protection.

But as the results of the survey show, password protection isn't all that prevalent. The survey found that half of all respondents said their mobile security policy doesn't require users to enable password protection or that they don't know if password protection is in place.

The lack of password protection and enforced security policies is particularly staggering when considering what respondents flagged as the most important security issues they face. Respondents were allowed to pick all security concerns that apply. The majority of respondents, 70.19%, or 379, said mobile devices loss or theft is their biggest security fear, while 48.70%, or 263, were most worried about unauthorized network access.

"What this all means is that, ultimately, [companies] have to do the same thing they did with computers," Mathias said. "But with mobility, we're still in the 'I don't know' stage."

That "I don't know" stage is caused by companies trying to do more with less. Devices are deployed and data is used on them and accessed through them, but IT budgets are dropping and managers are forced to try to work with fewer resources.

"The tools and techniques are mysterious to them," Mathias said, calling mobile security a "black art." He added that companies are going to incur the bulk of costs associated with mobile security policies and deployments by educating end users and putting mechanisms in place that end users can't work around.

"The key is going to be developing the necessary security policy with a focus on the enterprise and putting in place the right management capabilities," he said.

Read more on IT risk management