The realities of mobile security

Research by and Rhetorik Market Intelligence has revealed that companies are not taking the security of mobile devices as seriously as they could

Despite the widespread proliferation of mobile devices, a third of UK organisations has no coherent security policy in place to deal with inappropriate usage, loss or theft.

Those are the findings of a survey undertaken by in association with market researcher Rhetorik. Although losing a mobile device can lead to the exposure of sensitive corporate data or emails, or result in unauthorised access to the company network, it appears that a lot of companies aren't taking the issue seriously.

The study revealed that the development of mobile-security policies decreased sharply in relation to the size of organisation and in line with the number of devices that they had deployed. While 85 percent of large enterprises had been careful to implement such policies, only two-fifths of SOHO (small office/home office) companies with fewer than 10 staff had done likewise.

Of those organisations that had chosen to introduce mobile-security policies, the survey found that almost all had taken the time to communicate with personnel to ensure awareness of those policies.

Seventy-nine percent of respondents opted to notify users in writing, while the rest — mainly smaller companies and those with low numbers of handhelds — tended to discuss the issue with staff verbally. Two percent failed to communicate their policies at all, making the creation of such policies rather pointless in the first place.

Rick Paskins, managing director of Rhetorik, explained why such policies are important and why staff members need to be alerted to them: "Employees' use of mobile devices may lead to vulnerabilities in the organisation's network and information systems, possibly brought about by the introduction of a virus or other malware obtained by users accessing systems outside the company firewall. Without proper controls, use may also allow company employees to access unauthorised information and the theft of valuable company data becomes easier."

Twelve percent of those questioned admitted they had not developed any means of enforcing compliance. Of those that had, some 61 percent relied on managers to supervise staff behaviour, while about a third deployed monitoring and analysis tools, and some used both techniques.

Not surprisingly, probably due to cost reasons, the focus of smaller organisations was on management supervision, with only 15 percent in the SOHO space introducing tools to help them out. This compares with more than half of large enterprises embracing the tools-based approach.

Interestingly, survey participants were also asked whether their mobile-security policies prohibited members of staff from using personal gadgets for business reasons, whether in the workplace or on the road.

This is because, as Paskins pointed out: "A variety of issues can arise if such devices are allowed, including access, support and configuration issues for IT, as well as a raft of data- and network-security concerns from different, and possibly uncontrolled, devices in use."

Despite this, the use of consumer machines appears to be widespread. More than a third of respondents said that their companies had banned the use of personal devices, but some 51 percent said that they routinely used a mix of personal and company-owned devices, while about eight percent used only their own handhelds.

Such a pattern did vary based on the size of company again, however. At the high end, about half of those questioned were only allowed to use company offerings, while this figure fell to one-fifth in the SOHO market.

By far the biggest security concern among organisations in this context, meanwhile, related to data and information loss. Nearly two-thirds of organisations saw this as a "very important" threat, while just over half were "very worried" about network security issues. About 42 percent also considered...

...the physical security of the devices themselves to be a "very important" matter because of their high cost. More than 85 percent took each of these issues seriously and considered each one to be of importance.

The most worrying individual threat for respondents, however, was losing information when a device storing sensitive corporate data or emails was mislaid or stolen, with 84 percent of respondents deeming this to be a "very important" issue.

Unauthorised access by third parties to communications and company-sensitive data was considered equally worrying by 60 percent of respondents, while the loss or theft of mobile devices that could be used to access the corporate network was next on the list, at 58 percent.

Other anxieties included threats posed to the internal network by malware, corruption of company data held on the network and the theft or inappropriate access of corporate information by employees.

"The small size and portability of mobile devices make them highly vulnerable to loss or theft. When this happens, it is important that strong access controls and data-protection measures are in place to protect against unauthorised data, network and email access, as well as other inappropriate communications," said Paskins.

The loss of data, such as files and contact lists, stored on the devices themselves can also cause big problems, Paskins added.

As to what measures organisations are introducing to protect themselves against these hazards, the most popular options were firewall and antivirus/anti-spam software, which are deployed by more than two-thirds of respondents across all sectors and size of company.

Just over half of those questioned have also introduced wireless LAN encryption, probably due to the popularity of wireless networks in companies of all sizes, while 50 percent have gone for data-replication and backup technologies, as well as data-encryption products for virtual private networks. Adoption in each of these areas is expected to take place among an additional eight percent of the installed base over the next two years.

But growth rates are expected to be significantly higher in newer technology areas, such as two-factor authentication (19 percent of respondents said they use it now, but a further 20 percent plan to do so in the next two years), compliance control (21 percent use it now, with 14 percent adopting by 2009) and remote monitoring systems (a third use it now, and 12 percent plan to use it in two years' time).

These offerings tend to be used mainly by larger enterprises, however, and the smaller the company is in size, the less likely it is to deploy them.

"The proliferation of mobile devices in use brings with it a number of security concerns, so the need for organisations to adopt policies and put specific measures in place to counter these threats and vulnerabilities is compelling," said Paskins.

Of the 371 executives that took part in the survey, about 30 percent worked in large corporates with more than 1,000 staff; 29 percent were employed by small to medium-sized enterprises with between 11 and 250 employees; 23 percent had one to 10 personnel; 13 percent had a headcount of between 251 and 1,000; and the rest did not know.