Despite the widespread proliferation of mobile devices, a third of UK organisations has no coherent security policy in place to deal with inappropriate usage, loss or theft.
Those are the findings of a survey undertaken by ZDNet.co.uk in association with market researcher Rhetorik. Although losing a mobile device can lead to the exposure of sensitive corporate data or emails, or result in unauthorised access to the company network, it appears that a lot of companies aren't taking the issue seriously.
The study revealed that the development of mobile-security policies decreased sharply in relation to the size of organisation and in line with the number of devices that they had deployed. While 85 percent of large enterprises had been careful to implement such policies, only two-fifths of SOHO (small office/home office) companies with fewer than 10 staff had done likewise.
Of those organisations that had chosen to introduce mobile-security policies, the survey found that almost all had taken the time to communicate with personnel to ensure awareness of those policies.
Seventy-nine percent of respondents opted to notify users in writing, while the rest — mainly smaller companies and those with low numbers of handhelds — tended to discuss the issue with staff verbally. Two percent failed to communicate their policies at all, making the creation of such policies rather pointless in the first place.
Rick Paskins, managing director of Rhetorik, explained why such policies are important and why staff members need to be alerted to them: "Employees' use of mobile devices may lead to vulnerabilities in the organisation's network and information systems, possibly brought about by the introduction of a virus or other malware obtained by users accessing systems outside the company firewall. Without proper controls, use may also allow company employees to access unauthorised information and the theft of valuable company data becomes easier."
Twelve percent of those questioned admitted they had not developed any means of enforcing compliance. Of those that had, some 61 percent relied on managers to supervise staff behaviour, while about a third deployed monitoring and analysis tools, and some used both techniques.
Not surprisingly, probably due to cost reasons, the focus of smaller organisations was on management supervision, with only 15 percent in the SOHO space introducing tools to help them out. This compares with more than half of large enterprises embracing the tools-based approach.
Interestingly, survey participants were also asked whether their mobile-security policies prohibited members of staff from using personal gadgets for business reasons, whether in the workplace or on the road.
This is because, as Paskins pointed out: "A variety of issues can arise if such devices are allowed, including access, support and configuration issues for IT, as well as a raft of data- and network-security concerns from different, and possibly uncontrolled, devices in use."
Despite this, the use of consumer machines appears to be widespread. More than a third of respondents said that their companies had banned the use of personal devices, but some 51 percent said that they routinely used a mix of personal and company-owned devices, while about eight percent used only their own handhelds.
Such a pattern did vary based on the size of company again, however. At the high end, about half of those questioned were only allowed to use company offerings, while this figure fell to one-fifth in the SOHO market.
By far the biggest security concern among organisations in this context, meanwhile, related to data and information loss. Nearly two-thirds of organisations saw this as a "very important" threat, while just over half were "very worried" about network security issues. About 42 percent also considered...