A muddled mix of policies covering laptops, Wi-Fi and consumer devices has led to "security gaps big enough to drive a semi through," according to Michael Finneran, author of the InformationWeek 2012 State of Mobile Security Survey.
The conclusion may surprise some, given recent high-profile security breaches that have compromised consumer data and resulted in costly fines and lawsuits. Five years ago, a poorly protected Wi-Fi network supporting cash registers at a Florida T.J. Maxx store resulted in 45 million exposed debit and credit card numbers during an 18-month period. Related fines and settlements added up to $50 million.
Despite such cautionary tales, the InformationWeek 2012 Mobile Security Survey shows 24% of respondents' organizations still use WEP, the technology at the root of that retailer's problems. Finneran writes that these are people who should know better, since each one of the 322 business technology professionals responding to the survey is involved with mobile device management, policy development and/or security.
The reality is that "adaptability is fundamentally at odds with the requirements of an enterprise security plan," writes Finneran. Too many organizations are tweaking their security policies in key areas based on the capabilities of the mobile devices they permit, and, alarmingly, the survey found that 86% of respondents are permitting use of personally owned devices or are moving in that direction.
The survey found that while 40% of organizations limit the range of devices supported and require that users connect to a mobile device management system, 42% allow employees to bring in any device and permit it to access the network as long as the user agrees to certain policies, which usually means trusting users to "do the right thing." Meanwhile, 10% allow user-owned devices with no restrictions whatsoever.
Fully 99% of respondents to the InformationWeek 2012 Mobile Security Survey say their organizations provide laptops to some percentage of employees; 92% provide smartphones. The bring-your-own-device, or BYOD, trend, however, means a whole lot of platforms and versions are connecting to the enterprise: Employees bring their own smartphones at 86% of organizations; tablets at 77%; basic cellphones at 71%; and laptops at 65%.
There's a huge disparity in the range of devices permitted to store corporate data, whether issued by the organization or brought in by the employee. BlackBerrys lead the pack when it comes to company-owned and supported smartphones, at 70%, a percentage surpassed only by Windows laptops and netbooks. Apple iOS comes in second, at 62%; Android 3.x and 4.x devices are at 42%. Earlier Android 2.x devices tied with Windows Mobile at 35%, with Windows Phone trailing at 30%.
But while BlackBerry devices rule the roost, January's InformationWeek Research in Motion Survey of 536 IT professionals found that although BlackBerry represents a median of 70% of company-purchased devices in use, that number drops to 35% when respondents look ahead 24 months, and only 7% say they plan to increase their use of RIM products.
The BYOD trend, however, isn't driving IT departments to fashion firm guidelines, even as 84% of respondents identify lost and stolen devices as critical mobile security concerns. Only 14% of Mobile Survey respondents mandate hardware encryption for corporate data stored on mobile devices, even when 48% report that mobile devices have gone missing in the past 12 months. In the report, Craig Mathias, principal at mobile advisory firm Farpoint Group, notes that replacing a mobile device is relatively cheap, so respondents' concerns must be over possible compromised data, "and yet encryption is dramatically underutilized."
Finneran concludes that CIOs are putting the organization at risk by making concessions in a rush to accommodate a plethora of consumer devices. It could take a high-profile security incident with one of these devices before IT receives both the management support and budget to address mobile security adequately, he writes.