U.S. based enterprises are very concerned about the risks that are posed by the influx of personally owned
mobile devices in the workplace, and are moving swiftly to put policies in place to control their use and protect the corporate data they hold, according to an IT risk survey conducted by ISACA (Information Systems Audit and Control Association). Respondents also indicate that their
companies are making progress integrating IT risk management with their overall approach to risk
management, but still have a lot of work to do. The survey included 712 U.S. ISACA members.
Any employee-owned mobile device presents a greater risk than work-supplied devices, according to nearly three-fifths of the respondents to the survey, “2011 IT Risk/Reward Barometer.” These devices can include smartphones, laptops, tablets, broadband cards and flash drives. More than a third of respondents said the risks of employee-owned devices outweigh the benefits. However, more than 80% said that their company has a security policy in place for mobile computing; nearly half said the policy is kept up to date and well communicated to staff; and about a third said that their company policy needed updating and that most employees were not aware of it.
“I’m really excited that enterprises are taking a proactive view and put a policy in place,” says John Pironti, an ISACA adviser and president and consultant in governance, risk and compliance (GRC) at IP Architects. “The back of any protective concept starts with policy. Once we establish our position, policy, guidelines and standards, then we can talk about the controls we want to apply.”
A number of organizations already have controls in place to protect data on personally owned smartphones and tablets. More than a third have either policies and systems to control all features on these devices (including application installation and the ability to wipe all data) or
limited controls such as encryption and password requirements; another 15% have controls that apply only to work-supplied devices.
