Call it the downside of the BYOD movement. IT is rapidly falling behind in its race to keep devices secure in the face of more and more mobile devices (laptops, smartphones, tablets) being brought into the enterprise by end users, according to a new study by Ponemon Institute and sponsored by Websense.
Fiaaz Walji, country manager for Canada at Websense, said that with many employees bringing “three devices, at minimum” to work with them, and with those devices being always-connected and increasing susceptible to malware, it’s going to be hard race in which to stay competitive.
“BYOD is rapidly outpacing the security posture and policy that’s in place today,” Walji said.
And disturbingly, Canadian mobile devices are among the most likely to be infected, and Canadian organizations largely don’t have solid policies in place.
The Ponemon study contacted 4,640 IT and IT security professionals worldwide, including 421 in Canada, on their experiences, opinions and strategies when it comes to mobile devices.
Canadian businesses ranked in the top three for malware infection rates on mobile devices, with 62 per cent of Canadian respondents having experienced some sort of malware on mobile devices (laptops, smartphones, tablets or USB sticks). And Canadian businesses tied for “top” spot when it comes to data loss, with 58 per cent of businesses reporting some type of data loss as a result of insecure mobile devices.
But it’s not a Pandora’s Box that can be closed. While 72 per cent said mobile devices are a risk for threat vectors, nearly the same number (71 per cent) said mobile devices were essential to their business’ success.
“Restricting these devices is not an option, but organizations do have to address the risk,” Walji said.
The good news is that a lot of that loss is not due to malicious intent. Walji said the most frequent story he hears from partners are variants on the old “I downloaded a list to my iPad, and then lost my iPad” story. But, of course, data that’s lost due to accident is just as lost.
So how are Canadian businesses dealing with these challenges? Largely not by way of policies. The study found that two thirds of Canadian organizations don’t have a policy on acceptable or unacceptable use of mobile devices, or are unsure if their company has a mobile policy (23 per cent.) Canadian businesses were, in fact, among the least likely (along with the UK, India and France) to have a mobile device policy in place.
The biggest obstacles to having policies included lack of governance or oversight, focus on other areas of security, and insufficient resources to monitor and enforce policies. But organizations are increasingly realizing both that they need to have a policy, and that policy needs to be data-centric, as opposed to device-centric. “If you start with a device-centric policy, you’ll never be able to keep up,” Walji said.
He said that more of the company’s channel partners are offering customers help with crafting those policies, and posited it would be a bigger opportunity still for solution providers as more organizations start to get on board.
Beyond building out the initial policy, Walji suggests partners take an ongoing approach, helping customers revisit and optimize their mobile policy every six months as business and security realities change. Beyond that, IT solution providers can be key in educating users about the policies and risks. There are simple messages – don’t download risky or untrusted apps, don’t download from unsanctioned app stores, don’t jailbreak devices, don’t turn off any security settings – that need to be hammered home.
“We’ve come a long way since the first policies for cellphones and BlackBerries,” Walji said.