ISACA Survey: Enterprises Are Addressing Mobile Device Risk

U.S. based enterprises are very concerned about the risks that are posed by the influx of personally ownedmobile devices in the workplace, and are moving swiftly to put policies in place to control their use and protect the corporate data they hold, according to an IT risk survey conducted by ISACA (Information Systems Audit and Control Association). Respondents also indicate that theircompanies are making progress integrating IT risk management with their overall approach to riskmanagement, but still have a lot of work to do. The survey included 712 U.S. ISACA members.

Any employee-owned mobile device presents a greater risk than work-supplied devices, according to nearly three-fifths of the respondents to the survey, “2011 IT Risk/Reward Barometer.” These devices can include smartphones, laptops, tablets, broadband cards and flash drives. More than a third of respondents said the risks of employee-owned devices outweigh the benefits. However, more than 80% said that their company has a security policy in place for mobile computing; nearly half said the policy is kept up to date and well communicated to staff; and about a third said that their company policy needed updating and that most employees were not aware of it.

“I’m really excited that enterprises are taking a proactive view and put a policy in place,” says John Pironti, an ISACA adviser and president and consultant in governance, risk and compliance (GRC) at IP Architects. “The back of any protective concept starts with policy. Once we establish our position, policy, guidelines and standards, then we can talk about the controls we want to apply.”

A number of organizations already have controls in place to protect data on personally owned smartphones and tablets. More than a third have either policies and systems to control all features on these devices (including application installation and the ability to wipe all data) orlimited controls such as encryption and password requirements; another 15% have controls that apply only to work-supplied devices.IT risk management still has a long way to go, Pironti says, although nearly a quarter of the respondents say management of IT risk is “very effectively” integrated into their enterprise’s business risk management approach, while 59% said it is integrated “somewhat effectively.”

“What we’re seeing in this survey is more appreciation of the idea of evaluating IT risk,” Pironti says. “Compliance, which is not a risk-oriented, is still driving a lot of activities.”

Compliance was cited most often (26%) as the most important driver for IT-related risk management activities. Other responses showed a lack of appreciation for the primacy of business risk, Pironti says. Only 18% said ensuring that current functionality is aligned with business needs is the most important driver, and 16% cited improving the balance of risk-taking with risk avoidance to improve return on investment.

These numbers are particularly surprising because the largest number of respondents--morethan a quarter--are in the financial services industry. “They’re the tip of the spear. I would think they would appreciate the idea of risk more than most,” Pironti says. “That’s their whole business.”

Cloud computing is a high-risk activity, according to the survey. Two out of five respondents say the risks outweigh the benefits, twice as many as those who say the benefits are worth the risk. The rest say the risks and benefits are balanced. A quarter say they limit cloud computing to low-risk, non-mission-critical IT services.

See more on this topic by subscribing to Network Computing Pro Reports Mobile Device Security: Bring Your Own Disaster (subscription required).