Research: The lowdown on mobile security

Research conducted by Rhetorik Market Intelligence and ZDNet.co.uk has revealed that companies are being left behind when it comes securing mobile devices

Implementation of a policy on the use of mobile devices is not universal. Although almost two-thirds of the companies researched had such a policy in place, this left a third that did not. However, while the lack of a policy was quite commonplace among the smallest of organisations, availability increased steadily with increasing size of enterprise.

Encouragingly, where such a policy does exist, it is almost universally communicated to employees. Approaching four-fifths of enterprises notified all users of the policy in writing, and most of the rest discussed it with their staff.

  • The enforcement of a mobile-security policy is also a matter of some importance, but 12 percent of organisations with a policy in place claimed to have no means of ensuring it was complied with. Of those that did, the majority depended on management supervision of their staff, and most of the rest on monitoring and analysis tools. Monitoring and analysis tools were more widely applied in the larger organisations.
  • Use of personal mobile devices in the workplace is widespread. Although more than a third of all respondents stated that only company-owned devices were allowed, nearly 60 percent said that personal devices or personal and company devices were permitted by their employer.
  • When questioned about the type of mobile-security threat, data and information security was of greatest concern to our respondents, followed closely by security of the company network and, finally, security of the mobile devices themselves. However, all types of security threat were taken seriously, with more than 85 percent of respondents considering each type of threat be important.
  • Although the physical loss of devices is considered the least important of the three main types of threat, the loss of information when a device containing company-sensitive data or emails is lost or stolen is of great concern. This was rated the most important specific threat of all those considered. Next in importance was the possibility of unauthorised access by third parties to company-sensitive communications or data. This was followed by the loss or theft of mobile devices providing access to data on the company network.
  • The two most important security measures identified were firewall and antivirus/anti-spam software. These are widely applied by more than two-thirds of all respondent organisations, with only modest growth in deployment anticipated in the near future.
  • Half of all respondents reported the use of WLAN encryption and data encryption on their VPN, and data replication/backup was similarly applied. Each of these exhibited moderate growth, with around eight percent of all organisations planning to newly adopt these security measures over the next two years.
  • All too often, authentication is by single factor alone, although two-factor authentication is rapidly increasing in popularity, with twice the number of current user enterprises anticipating deployment in two years' time.
  • Strong growth is also anticipated for compliance control, remote wiping and remote monitoring, albeit from a smaller current-user base.

The proliferation in use of mobile devices brings with it a number of serious security concerns.

The small size and portability of the devices make them highly vulnerable to loss or theft. When this happens, it is important that strong access controls and data-protection measures are in place to protect against unauthorised access to data, network and email, as well as other inappropriate communications. The loss of data, contact lists and other information stored on the devices themselves can also be a major problem under these circumstances.

Furthermore, use of these devices by employees may lead to vulnerabilities in the organisation's network and information systems, possibly brought about by the introduction of virus or other malware obtained through user access to systems outside the company firewall. Without proper controls, use may also allow company employees to access unauthorised information, and the theft of valuable company data becomes much easier.

The need for organisations to adopt policies and put specific measures in place to counter these threats and vulnerabilities is strong and compelling. But how do they measure up in practice?

The research investigated the application of mobile-device security policies, their communication and enforcement across UK organisations. It also explored the different types of security threats present and their perceived importance, as well as the measures taken by organisations to combat these threats both now and in the near future.

This research was carried out as part of a broader research study sponsored by Orange UK investigating the top mobile trends today and their impact on UK enterprises. The study was undertaken by ZDNet.co.uk in association with Rhetorik, a specialist market-intelligence organisation that focuses specifically on European IT and telecommunications markets.

The survey used web-based survey techniques with a detailed questionnaire applied through the ZDNet.co.uk research panel as well as a broad sample of knowledgeable respondents drawn from readership of specialist CNET technical publications.

The research was conducted with a significant sample of 371 organisations of all types and sizes with some degree of mobility within the workforce. A breakdown of these respondents by size of organisation is presented below.

Figure 1: Breakdown by company size

Q42 Approximately how many people are employed in your organisation (in the UK)? (single response)
Base: All respondents; Total: 371
Source: Rhetorik 2007

Mobile security policy

The application of a policy on the use of mobile devices can do much to allay concerns over security issues and their implications within the organisation. In this section we explore the prevalence of such policies, as well as their communication and enforcement across the UK.

A policy on the use of mobile devices
Almost two-thirds of the companies researched had a policy on the use of mobile devices by its staff, which left a third that did not.

However, when you look at the pattern of response across the different sizes of organisation, the reasons for this proportionate lack of policy become more explicable. The results show clearly that the availability of a recognised policy increases steadily with increasing size of enterprise. Only two-fifths of the very smallest organisations (fewer than 10 employees) appear to see the need for such a policy, probably because of the very limited number of users. However, in the large corporate sector (more than 1,000 employees), application of a policy is recognised in 85 percent of all enterprises, where user base is often much higher and the corporate exposure to risk proportionately much greater.

The same pattern was seen when analysing the results according to number of handheld mobile devices in use. For organisations with 100 or more mobile devices in use, less than one in 10 had no such policy in place.

Figure 2: Mobile device security policy

Q33 Does your company have a policy on the use of mobile devices for business purposes by its staff? (single response)
Base: All respondents; Total: 371
Source: Rhetorik 2007

Communication of mobile-security policy
Clearly there is little point in a company having such a policy if it is not fully communicated to all relevant members of staff.

When questioned on this, almost all organisations did communicate their policy. Nearly four-fifths of enterprises communicated this to all their users in writing, and most of the rest discussed the policy with their staff. Only two percent said they had a policy that wasn't communicated.

The smaller organisations placed greater reliance on verbal methods of communication, as in general did those with the lower numbers of users. Almost half of all SOHO (small office/home office) organisations, as well as all those with fewer than five handheld devices in use, depended on verbal means to communicate their policy to the user base.

Figure 3: Communication of mobile-security policy

Q34 Is this policy communicated fully to all relevant members of staff? (single response)
Base: All respondents who have a mobile device policy (235)
Source: Rhetorik 2007

Enforcement of mobile-security policy
Policy enforcement is also a matter of some importance, but 12 percent of organisations with a mobile-security policy claimed to have no means of ensuring it was complied with.

Of those that did ensure compliance, the majority depended on management supervision of their staff, and most of the rest relied on monitoring and analysis tools. A number applied both methods.

Perhaps not surprisingly, the smaller organisations depended more on management supervision, with the use of monitoring and analysis tools increasing significantly in the larger organisations. More than half (51 percent) of large corporate respondents with a policy use monitoring and analysis tools, whereas this figure drops to only 15 percent in the SOHO sector.

The only other enforcement mentioned specifically was the monitoring of inappropriate communications through analysis of network billing.

Figure 4: Enforcement of mobile security policy

Q35 How does your company enforce this policy? (multiple response)
Base: All respondents who have a mobile device policy (235)
Source: Rhetorik 2007

Policy on the use of personal mobile devices
Another important security consideration for organisations is the use of personal mobile devices for business purposes by members of staff, either in the workplace or away from the office. A variety of issues can arise if such devices are allowed, including access, support and configuration issues for IT, as well as a raft of data and network security concerns from different and possibly uncontrolled devices in use.

We asked organisations with a mobile-security policy if that policy included restrictions on business use of personal mobile devices. The results showed that use of personal mobile devices is widespread. Although more than a third of all respondents stated that only company-owned mobile devices were allowed to be used for business purposes, most of the rest said that personal devices or personal and company devices were allowed by their employer.

Restrictions on the use of personal devices were more prevalent with increasing size of organisation, and indeed with increasing number of devices in use. In the large-corporate sector, half of all respondents stated that only company-owned devices were allowable, whereas only one-fifth had this strict policy in the low-end SOHO sector.

Figure 5: Use of personal mobile devices

Q36 Are members of staff allowed to use personal mobile devices (PDAs, BlackBerry, laptops etc) or only company-owned devices for business purposes? (single response)
Base: All respondents who have a mobile device policy (235)
Source: Rhetorik 2007

Mobile-security threats
Having explored company policies, we went on to look at the type of security threats and the specific threats that were considered most important by the research base.

Importance by type of threat
In order of priority, data and information security was clearly of greatest concern to our respondents, followed closely by security of the company network and then, of somewhat less importance, security of the mobile devices themselves.

Particularly notable was the trend in response for those considering each type of threat "very important" to their organisation. This highest level of importance was attributed to data and information loss by almost two-thirds of the research base, whereas this fell to a little over half for security of the network and to a lower two-fifths for the devices themselves.

However, all types of security threat were taken seriously, with more than 85 percent of respondents considering each to be of importance.

All threats increased in perceived importance with increasing size of respondent organisation, probably due to the higher levels of investment and hence business importance of the losses that might be incurred.

Figure 6: Security threats — importance by type

Q37 How important do you consider each of the following types of mobile security threat? Please rate on a scale of 1 to 5, where 1 is "very important" and 5 is "very unimportant"
Base: All respondents; Total: 371
Source: Rhetorik 2007

Importance by specific threat
Interestingly, although we saw that physical loss of the devices themselves is considered the least important of the three main types of threat, the resultant loss of data/information when a device containing company-sensitive data or emails is lost or stolen is of great concern. This was rated the most important specific threat of all those considered.

Next in importance, but still in the area of data loss, was the threat of unauthorised access by third parties to company-sensitive communications or data. Clearly this could arise through access to devices without adequate authentication or other security.

This was followed by loss or theft of mobile devices providing access to data on the company network.

Vulnerability of the network to virus infiltration or other malware introduced by mobile devices is also of considerable concern. This malware could be picked up by mobile devices also used to access sources outside the company firewall and virus control software.

Also network related, almost half of all respondents consider the threat of data corruption on the network, which could be introduced through access by mobile devices, to be very important.

With the high cost of many modern handhelds, loss or theft of the devices themselves is considered of importance, but only a little over a third of our research base rate this in itself as a very important threat.

Inappropriate access or theft of company data by staff is a concern, but generally of much less significance than similar access by third parties through these means.

Perceptions of the importance of each threat were generally lower for respondents in the SOHO sector, although interestingly the importance of loss of the devices was largely consistent across all sectors.

Figure 7: Security Threats — importance by specific threat

Q38 How important do you consider each of the following specific security threats? Please rate on a scale of 1 to 5, where 1 is "very important" and 5 is "very unimportant"
Base: All respondents; Total: 371
Source: Rhetorik 2007

Mobile-security measures in place
The final section on this topic explores the main security measures that respondent enterprises have put in place for mobile devices, their use and access to the corporate network. It also covers planned implementation over the next two years.

The two most important security measures are the firewall and antivirus/anti-spam software. These are widely applied by more than two-thirds of all respondent organisations, with only modest growth in deployment anticipated in the near future.

Wireless LAN encryption and data encryption on the VPN (virtual private network) are also well used. These were reported in place by around half of the research base. With ongoing growth in the use of both WLAN and VPNs, around eight percent of organisations plan to newly adopt these measures over the next two years.

Data replication and backup is also a popular and readily applied security method. Its use in our sample was comparable with WLAN encryption and data encryption on the VPN, with similar growth prospects over the coming few years.

All too often, authentication is by single factor alone, although two-factor authentication is rapidly increasing in popularity, with twice the number of current user enterprises anticipating deployment in two years time.

Intrusion detection is also important, with two-fifths of the sample reporting current use. Respondents point to strong prospects for growth, with a further 11 percent planning to adopt in the forecast period.

Data encryption (SSL/TLS, or secure socket layer/transport layer security) is also used by a similar two-fifths of the research base, with comparable expectations for growth.

Remote monitoring is already in place for around a third of these organisations but its popularity is increasing rapidly. In two years time a further 12 percent plan to implement this important management tool.

Compliance control is one of the lesser used techniques but is also growing strongly. Only a fifth of our research base is currently using this method but this is expected to increase to more than one-third over the next few years.

Least used of all the measures researched was remote wiping. However this powerful means of removing data and software from lost or stolen devices has strong appeal as a security measure, and our research indicated that the number of user organisations could almost double in the next two years.

Looking at these results by size of organisation, the following observations can be made:

  • The more established techniques of firewall, antivirus/anti-spam, single-factor authentication and data replication/backup are broadly applied across all sectors.
  • More advanced techniques such as data encryption (SSL/TLS), data encryption (VPN), remote monitoring, two-factor authentification, compliance control and remote wiping tend to be used less in the SOHO, and to some extent the SME sector, than in larger organisations. This is explicable in many cases, as factors such as the smaller user base and lack of need for a VPN make these techniques of less importance to smaller organisations.
  • WLAN encryption is more uniformly applied across all sectors, probably due to the popularity of wireless networks in enterprises of all sizes today.

Figure 8: Security measures in place

 

Q39 Which of the following security measures are currently in place for mobile devices, their use and access to the corporate network? And which additional measures do you plan to have in place in the near future (next two years)?
Base: All respondents; Total: 371
Source: Rhetorik 2007

About Rhetorik
Rhetorik delivers market research services focused exclusively on IT and telecoms industries. To meet the challenges of these fast-moving and highly competitive markets, our clients need a consultancy that truly understands the issues and concerns that drive them.

With an in-house team of highly trained researchers working exclusively in these markets, we have a particular focus on end-user research and use a range of quantitative and qualitative research techniques to provide a unique portfolio of research services, including:

  • Face-to-face interviews
  • Focus groups
  • Telephone interviews
  • Web-based surveys
  • Research panels

For more details, visit the Rhetorik website or contact Rick Paskins on +44 (0)118 989 8580 or at mailto:rpaskins@rhetorik.com.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All