Secure data access in a mobile universe
Upcoming SlideShare
Loading in...5
×
 

Secure data access in a mobile universe

on

  • 218 views

I was recently interviewed by a journalist, Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own ...

I was recently interviewed by a journalist, Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).

Statistics

Views

Total Views
218
Views on SlideShare
218
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Secure data access in a mobile universe Secure data access in a mobile universe Document Transcript

    • Secure dataaccess in amobile universeA report from the Economist Intelligence Unit Sponsored by
    • Secure data access in a mobile universe Contents Preface 2 Executive summary 3 Introduction 5 1 Modern mobility: where are we now? 6 2 Loss, theft and bad habits: what are firms doing to meet the challenges? 8 3 Ever-more data on the go: the emerging trends 11 4 How can companies ensure effective mobile policies? 13 5 Conclusion 15 Appendix: survey results 161 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Preface An ever-growing use of consumer communication Interviewees devices in the workplace and a need to maximise Lucy Burrow, director of IT governance, the productivity of executives and workers on the King’s College London move are requiring businesses to respond. Secure Mike Cordy, global chief technology officer, data access in a mobile universe explores how OnX Enterprise Solutions companies can accommodate rising demands for mobile access to business information while Steve Ellis, executive vice-president, Wells Fargo minimising the security risks to proprietary data. Jay Leek, chief information security officer, As the basis for the research, the Economist Blackstone Group Intelligence Unit in June 2012 conducted a global Arturo Medina, information technology director, survey of 578 senior executives. The survey Ipsos Mexico explores how organisations are—or should be— responding to current and emerging challenges Bill Murphy, chief technology officer, stemming from an unstoppable trend towards Blackstone Group “bring your own device” (BYOD), as well as rising Al Raymond, vice-president, Aramark worker mobility more generally. We also undertook Ashwani Tikoo, chief information officer, CSC India a series of in-depth interviews. The findings and views expressed in this report do not necessarily reflect the views of the sponsor. The author was Lynn Greiner. Michael Singer and Justine Thody edited the report and Mike Kenny was responsible for the layout. We would like to thank all of the executives who participated in the survey and interviews, including those who provided insight but did not wish to be identified, for their valuable time and guidance.2 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Executive summary In the late 1990s portable laptops and mobile opportunities and work more effectively with their devices emerged that allowed executives to be partners and customers—the same reasons driving productive while away from their offices. Devices companies to enable mobile data access on firm- like the IBM ThinkPad and RIM BlackBerry ushered owned devices. in an era of multifunction mobile equipment that In June 2012 the Economist Intelligence Unit proved irresistible for the C-suite. Today, the conducted a global survey, sponsored by Cisco, of world’s mobile worker population has expanded far 578 senior executives to explore their perspectives beyond corner offices and is expected to reach on securing data on mobile devices. The principal 1.3bn people, or nearly 38% of the total workforce, research findings are as follows: by 2015, according to IDC, a technology research firm. By some estimates, as many as 76% of l Most executives are uneasy about their companies currently support a “bring your own company’s mobile data-access policies. device” (BYOD) policy, suddenly thrusting them Although 42% of respondents said the C-suite into the position of securing access to data on needs secure and timely access to strategic devices they might not own. Most of those firms say planning data to be most productive, only 28% they allow employees to use personal devices to believe it is appropriate to make this data make more effective decisions, avoid missed accessible to it on mobile devices. Nearly half of Who took the survey? The survey questioned 578 senior executives With respect to organisation size, 55% were from worldwide. The respondents were based primarily companies with revenue of US$500m or more in North America (29%), Western Europe (25%) annually, with 22% of those with revenue of and the Asia-Pacific region (27%), with the rest US$10bn or more. Respondents represented a wide from the Middle East and Africa, Latin America and variety of industries, in particular IT and technology Eastern Europe. Of the total number of respondents, (13%), financial services (11%), professional 23% were from the US, 10% from India, 7% from services (11%) and energy and natural resources Canada and 6% from the UK. In terms of seniority, (9%). Functionally, respondents identified their 27% were at the CEO level, 17% at the senior vice- primary roles as general management, business president level and 15% at the manager level. development, finance and sales and marketing.3 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe respondents (49%) say the complexity of surveyed are restricted from discussing their securing multiple data sources and a lack of work on social media platforms. Close attention knowledge about mobile-access security and risk to policies around social networking can enable (48%) are top challenges for their companies. effective interaction while still protecting corporate data assets and avoiding liability. l Larger companies are most willing to allow mobile access to critical data, but also impose l Available infrastructure is the key influence stricter rules. More than 90% of companies with on company policies around mobile access. revenue over US$1bn allow access to data via While 44% of respondents say pressure from either personal or company-owned devices. executives is one of the most important However, more than half of organisations with influences on policy, that number is dwarfed by over US$5bn in revenue allow access only on the 60% who cite IT infrastructure requirements. company devices, while a third also permit This indicates an opportunity exists for access on personal devices. By contrast, only companies offering services to secure and 37% of companies with revenue under US$500m manage mobile access. insist on company-owned devices, while 47% permit access on personal devices as well. Is the mobile data access trend unstoppable? Mobile users within larger firms, however, must The short answer is yes; more sophisticated devices stay within the lines of approved devices that offer a better user experience only serve to requiring multiple policy signoffs. accelerate the trend. This means policies are mandatory, not optional. Getting employees l Mobile policies must not neglect social involved in shaping those policies certainly networking. While 56% of survey respondents increases the likelihood of compliance, according have policies covering acceptable use of social to executives interviewed for this research. networks via mobile devices, 33% of executives4 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Introduction Adopting the right policies around mobile data cultural shift will grow. Expanding the scope of access is becoming an increasing concern for many business data access presents obvious business companies. Senior employees, as much as younger risks, as well as technological challenges. Portable recruits, are demanding access to corporate data devices can be lost or stolen. People may share anywhere, anytime, on mobile as well as fixed their devices with friends or relatives, increasing devices. And many companies are realising that the risk of leakage of confidential data. Often supporting mobile-device policies can pay these data are accessed from software applications dividends in the form of increased engagement not sanctioned by the company. But it is and productivity—including a greater willingness increasingly futile for IT departments to try to to be responsive outside of working hours. BYOD- control the devices people bring to work, or to friendly workplaces are also more likely to attract control how people use devices outside the office. tech-savvy workers, which usually helps spur They must respond to the increased vulnerability innovation. of corporate data networks by enforcing effective As devices proliferate and lines between safeguards, both to protect business-critical data consumer and corporate IT continue to blur, the and to comply with regulatory environments in challenges companies face in adapting to this every region in which the company operates.5 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe 1 Modern mobility: where are we now? Nearly one billion smart connected devices were to make quick, informed decisions, especially at shipped worldwide in 2011, a number expected to critical times, such as business negotiations, notes double by 2016, according to IDC, a technology Ashwani Tikoo, chief technology officer of CSC research firm. These devices include PC-based India, an IT services provider. In the second-largest products such as laptops and netbooks, mobile operations centre for CSC global, Mr Tikoo is phones and tablets. The Economist Intelligence responsible for security policies that protect Unit survey showed that many people use multiple business data on mobile devices. Instant devices, most often a combination of laptop and availability of data allows sales people to make the smartphone, although tablets are increasing in right decisions on the spot, rather than making the penetration. Worldwide tablet shipments in the customer wait, he says. To prevent data loss, CSC’s second quarter of 2012 grew by 33.6% over the security policies require data encryption on all first quarter and 66.2% over the same quarter in mobile devices, including personal devices covered 2011, according to IDC’s estimates. We expect to under a BYOD policy. see significant growth in the use of tablets after Preventing the data from being stored on a the release of the next generation of software mobile device is another strategy. Al Raymond, operating systems. Added collaboration and vice-president of privacy and records management communication features on newer tablets will at Aramark, a US foodservice supplier, says attract executives with a wider range of data- authorised users who need to access company access options than smartphones. information remotely do so over a secure virtual Supporting executives on the road with private network (VPN) from their laptops or mobile information fed to their mobile devices allows them devices. No data other than email are stored on the Q Executive mobile social policies What policies does your organisation face around social network use on corporate devices? (% respondents) Executives may not discuss any facet of their work on social networks, but are permitted personal use 33 Only authorised spokespersons are permitted to access social networks on corporate devices 26 Executives have unrestricted access to social networks 19 Executives may not access social networks on corporate devices 18 Other 5 Source: Economist Intelligence Unit survey, June 2012.6 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe CASE STUDY Ipsos, a hybrid approach In regions like Latin America in which face-to- In the hybrid model under development, face contact is preferable for market research, interviewers are offered a choice of one of three smartphones and tablets are replacing pencil and smartphone models that Ipsos knows can run its paper as the survey tools of choice. Ipsos, a global interviewing software. Employees pay for their own market research firm, embraced this shift toward device through incremental payroll deductions. using mobile devices in its operations in Mexico Under normal circumstances, Mr Medina says and elsewhere. The company currently operates in workers will own the device outright in 2-3 weeks. 84 countries and has 16,000 full-time employees. Ipsos provides a VPN connection to its Its research spans multiple methodologies from company data, while the employee pays for all online to in-person, resulting in more than 70 other smartphone functions. Ipsos manages million interviews per year worldwide. the devices so it can remotely expunge business Ipsos currently provides company-owned information if necessary. The data accessed on handhelds to its interviewers, but it is working on the smartphone are encrypted, preventing some a new approach, says Arturo Medina, IT director losses. Interviewers must also adhere to corporate at Ipsos Mexico. “Since the cost of custom mobile usage policies. The interviewers have the flexibility devices are quite expensive, we are adopting a to use one device everywhere, notes Mr Medina, yet hybrid model of ‘bring your own device’ policies,” the company has sufficient control to protect its he says. data assets. device itself, making it relatively easy to protect executives, financial information (60%) and corporate data assets should the employee leave, strategic planning (42%) were significant or lose the device. productivity drivers. Managers look for operational Similar challenges exist around social data (44%) and sales-and-marketing data (43%), networking on mobile devices outside of the office, while lower-ranked staffers most need access to although company policies often restrict executive customer (42%) and operational data (42%). participation. Thirty-three percent of executives Making effective decisions (52%) and avoiding responding to the EIU survey said that they were missed opportunities (42%) are the top reasons not allowed to discuss any facet of their work on that senior executives seek mobile access to critical social networks, and another quarter said that only business data, according to our survey. Liaison authorised spokespersons were permitted to even with third parties—such as suppliers—comes access social networks on corporate devices. particularly high on the list for smaller companies; Executive use of social networking will continue to 42% of respondents at firms with revenue under be restricted, either by policy or unwritten US$500m put this in their top three, compared agreement, to protect corporate information and with 37% of all firms. This need to stay connected limit liability, our research found. helped transform email into a must-have Of course, different job seniorities require application on mobile devices and remains the access to different types of data and our survey primary tool used by executives in our study to yielded few surprises here. Among C-level access business data remotely (81%).7 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe 2 Loss, theft and bad habits: what are firms doing to meet the challenges? Implementing systems to secure company data respondents from companies with annual revenue accessed across an array of different platforms of US$500m or less described their company’s costs money. So it is not surprising that only survey mobile data security policies as inadequate or respondents from the largest companies feel completely inadequate. As with larger confident about their firms’ data-security organisations, smaller companies with enforced, arrangements. While 45% of respondents from written policies can go a long way towards firms with annual revenue of US$10bn or more say securing corporate data at relatively low cost. that their firm has state-of-the-art data security Devices sold in the last few years have built-in measures in place, this falls to just 10% for encryption that need only be activated. However, respondents from smaller companies (US$500m). additional management tools are often needed to Moreover, even among firms with revenues automate security processes, forcing smaller firms between US$500m and US$5bn, as many as a third to balance purchasing protective technologies describe their companies policies as inadequate or with lower-cost approaches like holding completely inadequate. employees to security policies. Overall, our executive respondents accept the As the power of even the smallest mobile need for investment, with 69% rating security devices continues to increase, so does the risk of service investment a priority. But our research losing data for the most low-tech of reasons. indicates that more needs to be done to educate Kensington, a US computer peripheral executives about security risks. Some companies manufacturer, says more than 70m smartphones that believe they have strong security nevertheless are lost annually, with only 7% recovered. Laptops allow risky practices. For example, among those are not immune either, with Kensington’s research executives who said their firms have industry- showing that 10% will be lost or stolen over the leading security practices (20%), 13% said there life of the PC. Three-quarters of the losses occur are no restrictions on their social-networking during transit or while the employee is working at activities. This practice, of course, carries risk of a remote location. A large percentage of those lost accidental exposure of confidential company machines contain some type of business data. information. Our research found that setting The average cost of a corporate data breach social-networking policies can both enable incident reached US$7.2m in 2010, according to effective interaction and help protect corporate the Ponemon Institute, a consultancy. That is more data assets and avoid liability. than double the average cost in 2005. Mr Raymond With fewer resources than their larger of Aramark thinks that these figures ring true, given counterparts, smaller companies face stiffer the number and types of breaches, adding that challenges in securing mobile data. Nearly 40% of there are hundreds of small incidents each year and8 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universeGetting a grip on BYODSince the “bring your own device” model is comparatively on corporate servers that can be accessed securely and do thenew, there are few tried-and-tested industry standards for heavy computing, and not on the device itself. Methods ofBYOD policies. Typically, if an employee leaves the company, doing this, which include using virtual desktop technology andvoluntarily or otherwise, company data must be quickly removed, accessing data through web-based services like Salesforce.com,preferably without interfering with the employee’s personal are becoming more widespread because mobile access to secureinformation. Acceptable use policies for BYOD usually include a networks enables company-controlled encryption, authenticationclause permitting this. Companies can also protect themselves and management.legally by modifying their existing mobile policies, recommends Arturo Medina at Ipsos, which imposes similar network-baseda June 2012 National Law Review brief. Policies that centre on controls, recommends a constant dialogue with employeesharassment, discrimination and equal-employment opportunities to ensure compliance and prevent unauthorised downloadspolicies, confidentiality and trade-secret-protection policies, of corporate data. “Make clear the boundaries of sensitiveand compliance and ethics policies may all be updated to protect information and user information, as well as what gets backed upcompanies against worker abuse of mobile policies. as corporate info and what is considered personal information,” As a safeguard against risky executive practices, many Mr Medina advises.companies install software on the employee’s device to lockdown its software, encrypt data and perform other administrativefunctions, such as updating calendars or applying security Q BYOD policies How has your organisation implemented BYOD for accessupdates. Intrusive though this may sound for the employee, to critical data? Select all that apply. (% respondents)most mobile-device policies require some type of remote Specifying approved devicesadministrative access controls. Some companies that have BYOD 25policies expect executives and employees to make sure they Requiring sign off on acceptable use policy 32have necessary software on their devices, at their own expense. Monitoring applications on devicesOthers reimburse all or part of the cost of programmes required 14 Requiring defined security software on personal devicesspecifically for business. Proper configuration and good usage 31practices must be monitored and enforced centrally, Aramark’s Requiring a secure virtual environment on personal devices 25Mr Raymond says, adding that regularly reinforced security Requiring IT management on personal devicesawareness training also keeps secure data access fresh in (eg, to remotely wipe a lost or stolen device) 21employees’ minds. Restricting mobile data access to specific apps Mr Raymond says his company takes an alternative approach 18 No restrictions, executives have free access to whatever data is availableto device-centric mobile-security administration. Workers use 20the mobile device purely as a viewer, leaving company data Source: Economist Intelligence Unit survey, June 2012. a few major ones that may reach US$25m–500m. Australia (36%) experienced more breaches caused Of particular concern to companies looking to by malicious attacks than those caused by prevent data breaches caused by employees, many negligence. India was the only country in which mobile data losses are a direct result of user system glitches surpassed negligence and malice as carelessness. Ponemon’s 2011 Cost of Data Breach causes of breaches. Study found that anywhere from 30% to 40% of Some notable mobile data losses illustrate how breaches were caused by negligence, followed by easily a breach can occur. The Cancer Care Group, those due to malicious attacks (43%). The study an Indianapolis cancer clinic, lost the personal found 50% of breaches from Italian companies data of more than 55,000 patients as well as those were generated by the loss or theft of a mobile of its employees in July 2012 when an employee’s device. Only Germany (42%), France (43%) and laptop containing server backup files was stolen9 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe from a locked vehicle. The data were not encrypted, adding password protection to mobile devices, be contrary to best practices. The MD Anderson Cancer they laptops, smartphones or portable data storage Center, a Texas medical clinic, suffered two devices, and by full encryption of the disk or USB key. breaches between June and July 2012. While one These devices should also be secured physically. incident was caused by an unencrypted portable For instance, they should not be left in unattended USB key lost on a bus, another took place when a vehicles, even locked ones. Mobile phones and laptop, also unencrypted, was stolen from a faculty some PCs (those equipped with Intel’s VPro member’s home. Information on over 30,000 technology) can be remotely disabled and wiped patients was compromised in the two breaches. clean of data if they go missing; the more sensitive After the second breach, the facility began a the data they hold, the more critical it is that such project to encrypt all of its data. a mechanism is put in place, since encryption can Companies can prevent many data breaches by be broken.10 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe 3 Ever-more data on the go: the emerging trends Almost 90% of organisations worldwide allow devices. Steve Ellis, executive vice-president of mobile access to critical data, according to the Wells Fargo, notes that his company is International Telecommunication Union (ITU), a approaching BYOD with caution and is currently UN agency. Of those organisations identified in the evaluating options. A formal plan may be another EIU survey that do not have formal BYOD policies, year away, Ellis says. Other companies with no 25% say they plan to implement a programme in formal BYOD policy report seeing personal devices the next 12-18 months. They note that this type of slip in under the radar. Before the introduction of programme makes for more motivated employees, Aramark’s formal mobile policy ten months ago, an observation upheld by independent research. people had no defined rules telling them what According to research conducted in August 2012 by devices and operating systems were eligible to be iPass, a US mobile software company, many connected to the company network. With the new employees work up to 20 additional unpaid hours policy, entailing role-based access and approved per week when they’re always connected. Almost devices and configurations, the company knows 90% of iPass respondents said that wireless precisely who has access and to which data. “It is connectivity is as important a component of their no longer a wink and a nod,” Mr Raymond says. lives as running water and electricity. The higher the visibility of your program, the more Though more employees are working outside of likely it will be adhered to. the office, establishing a mobile-access Policies aside, the nature of devices has programme including BYOD is not an option for changed as well. Currently, just over a quarter some firms. Highly regulated banking and finance (27%) of critical data access is occurring by means companies have strict policies that prohibit letting of smartphones, according to our survey. executives access company data from their own Respondents expect this to rise to over a third Q Executive access devices What devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents) Smart phone 85 Tablet 41 Laptop 85 Source: Economist Intelligence Unit survey, June 2012.11 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe CASE STUDY US EEOC launches mobility pilot The US Equal Employment Opportunity Commission to configure agency email access for employees (EEOC) FY 2012 budget was slashed by nearly 15%, participating in the secondary testing. The agency’s from US$17.6m to US$15m. Needing to reduce remaining 468 employees using EEOC-issued operating costs, Chief Information Officer Kimberly BlackBerry devices were offered three choices: Hancher reduced the agency’s mobile device budget by half. To help fill the gap, the agency 1. Voluntarily return the BlackBerry and bring launched a mobile BYOD pilot project. The project a personal Android, Apple or BlackBerry focused on providing employees with access to smartphone or tablet to work. agency email, calendars, contacts and tasks. A 2. Return the BlackBerry and get a government- few senior executives were provided “privileged” issued cell phone with voice features only. access to the agency’s internal systems as part of the project. 3. Keep the BlackBerry with the understanding that In the initial testing phase, 40 volunteers turned the EEOC does not have replacement devices. in their government-issued BlackBerry devices and instead used their personal smartphones. EEOC managers report positive results from the Information security staff, legal staff and the pilot so far. Employees pay for their own voice and employees’ union generated rules that balanced data usage and the agency covers the licenses for employee privacy (social media policies, the management software. The EEOC’s Mr Hancher monitoring policies) with government security, noted that, for some employees, the cost may be such as the US National Institute of Standards an issue and there is an outstanding question of and Technology (NIST) regulation SP 800-53 (also whether the agency will be able to provide some known as “Recommended Security Controls for sort of reimbursement for part of the data and Federal Information Systems and Organisations”). voice services. Mr Hancher notes that success was The second phase of the programme launched in achieved by involving employees, the union and June 2012. The EEOC worked with its contractors legal departments early in the process. (35%) in the next 12-18 months, with another 30% easier interaction with apps. of critical data accessed by means of other mobile Interestingly, although 42% of respondents said devices, up from a fifth currently. With the advent the C-suite needs secure and timely access to of newer software and the associated devices, strategic planning data to be most productive, only tablets are poised to become a more widely used 28% believe it is appropriate to make this data mobile window to corporate data for executives, accessible to it on mobile devices. The main perhaps even supplanting smartphones one day, challenge, unsurprisingly, is concern about according to an article in The Economist (October potential security and other risks. Nevertheless, only 2011). Their larger screen size expands the range 11% of respondents to our survey say their of data that can be effectively viewed, and, organisation does not provide access to critical data supplemented by external keyboards, they enable outside the office.12 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe 4 How can companies ensure effective mobile policies? Survey respondents clearly recognise the workers to recoup data on a lost or damaged advantages of enabling mobile data access and are device with little effort. These measures will allow aware of the necessary investments. Some of the more executives in the future to access corporate measures that companies need to adopt to secure data securely from any computer, according to our corporate data accessed by mobile devices can be executive interviewees. put in place remotely. IT managers can currently For the travelling C-level executive, less time add security features to laptops, smartphones and spent updating security protocols means more time tablets, often using existing management tools. for getting work done. In the future data security They can also separate company data from will be strengthened with the help of technologies personal data as well as duplicate and store built directly into applications that protect the business data on corporate networks. Virtual data itself, making interception and misuse more desktops provide secure mobile access to data on difficult, CSC’s Mr Tikoo said. “Applications should personal laptops. These safeguards allow mobile be able to recognize that I am working on an iPad Q Mobile empowerment In what ways is your company empowering access to critical data today and how might that change in the future? Select one answer in each column for each row. (% respondents) Today In the future Providing access to multiple types of data 60 47 Providing secure mobile environments to 45 allow access to critical data 43 Enhancing secure access to data 41 (eg, mobile device generated security tokens) 45 Training executives to use 36 mobile data more effectively 42 Enabling customised mobile views of data 24 58 Providing mobile apps to access 20 critical data on multiple platforms 52 Providing secure cloud-based 20 environments for mobile use 57 Designing intuitive mobile user interfaces 15 48 Incorporating new communication/data 14 access methods (eg, QR codes, NFC) 47 Source: Economist Intelligence Unit survey, June 2012.13 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe or a little 5-inch screen and render the data to me acceptable use policy that covers everything from appropriately.” the type of data they may access from a mobile Mr Raymond says that although his business device to rules concerning password strength. doesn’t require it, separate environments for Other security safeguards require reliable action business and personal use are important. But if the on the part of users. While mobile devices should policies surrounding them, or any other security have passwords, Coalfire, an audit and compliance measures, are not enforced, there will be firm, estimates only half of personal devices consequences. He says he is always surprised when currently do. Employees in a BYOD programme speaking with his peers at how much of security in must agree that if their personal devices are lost or large organisations is just “smoke and mirrors”. stolen, the IT department’s responsibility includes The words are there, the enforcement is not. remotely wiping out information on personal Ipsos, a global research company, requires every devices to protect company data. employee to complete a security-awareness There is clearly some way to go in most training course delivered over its corporate organisations to educate staff on the security intranet—a cost-effective way to reach its staffers issues raised by mobile access of company data. in 84 countries. While its programme was internally The survey indicated that executives outside developed, commercially available security- Europe and North America are more likely to resist awareness products that can be customised for data-security policies on personal devices. Yet, in local needs are readily available from organisations an increasingly interconnected business world, such as the US National Security Institute (NSI). security gaps in one region can affect compliant Employees are also required to sign a mobile companies (and their customers) elsewhere.14 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe 5 Conclusion Not only will mobile data access expand, the trend integral to global business. The type of device in is unstoppable. Unmanaged and unsecured devices use is evolving, with tablets being the up-and- have already crept into the business environment, coming device of choice. We can expect to see putting company data at risk and opening the door significant growth in the use of tablets after the to attacks through compromised devices. Almost release of the next generation of software one-third of respondents in our survey report operating systems, which will give tablets a wider inadequate mobile device policies at their range of data-access options than smartphones. companies. Establishing sensible, workable policies This will be a mixed blessing, analysts believe, as is a first step to achieving a viable mobile data tablets will be supplemental devices to existing access programme. systems, not replacements. Executives classifying their device policies as Securing critical data in the future may mean industry-leading indicate they use data on-the-go creating even more stringent access requirements. to make more effective and collaborative decisions, The shift towards tablets for business outside the avoid missed opportunities and work more office, for example, will open up a whole new set of effectively with partners and customers. To ensure challenges because it will encourage executives to that this access won’t compromise business data, seek mobile access to a wider range of data. It will executives may want to prioritise programmes that require many companies to take a fresh look at the mitigate risk and support investments in data and whole issue, from devices and their weaknesses security services. through available infrastructure to the users Connected devices are becoming increasingly themselves.15 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Appendix: survey results Percentages may not add to 100% owing to rounding or the ability of respondents to choose multiple responses. Based on your observations, how does your organisation’s mobile device policy compare to those of its competitors within your industry? (% respondents) Industry leading (my organisation has a written, formal, enforced policy for the management and use of mobile devices) 20 Adequate (my organisation has informal guidelines that are monitored and enforcement action taken when necessary) 47 Inadequate (my organisation has informal or formal guidelines that are neither monitored not enforced) 19 Completely inadequate (my organisation has no formal or informal policy for the use and management of mobile devices) 11 Don’t know 3 What leading business factors are driving the need for access to critical data from mobile devices? Select up to three. (% respondents) Making more effective decisions 52 Avoiding missed opportunities 42 Working more effectively with third parties (suppliers, partners, customers, etc) 37 Empowering executives 37 Keeping up with competitive pressures 31 Maximising more business functions 27 Satisfying internal demand 21 Controlling costs 16 Other 3 We have no need for mobile data access 116 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Does your organisation allow access to critical data outside the office? (% respondents) Yes, on company-owned devices only 43 Yes, on either company or personally-owned devices 46 No 11 I don’t know 1 What devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents) Smartphone 85 Tablet 41 Laptop 85 Pager 2 Other 1 We do not provide company-owned devices to executives 3 Does your organisation allow executives to bring their own devices (BYOD) and use them instead of company-owned devices to access critical data? (% respondents) Yes 49 No 49 I dont know 3 How has your organisation implemented BYOD for access to critical data? Select all that apply. (% respondents) Specifying approved devices 25 Requiring sign off on acceptable use policy 32 Monitoring applications on devices 14 Requiring defined security software on personal devices 31 Requiring a secure virtual environment on personal devices 25 Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device) 21 Restricting mobile data access to specific apps 18 No restrictions, executives have free access to whatever data is available 2017 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Does your organisation plan to implement BYOD for access to critical data? (% respondents) Yes 20 No 55 I dont know 25 What do you perceive is the biggest obstacle to implementing BYOD for access to critical data? (% respondents) Corporate security or risk concerns 50 Corporate IT concerns over difficulty managing personal devices 14 Corporate IT resistance to supporting executives’ personal devices 14 Executive resistance to policy restrictions on personal devices 9 Cost of required device management infrastructure 6 Other 4 Allocation or management of charges on executive devices 4 In your opinion, what are the greatest challenges your company faces in securing access to critical data over mobile devices, whether owned by the firm or the executive? Select up to four. (% respondents) Multiple data sources, each requiring distinct security measures 49 Lack of knowledge about security/risk of mobile access 48 Lack of resources to manage/secure data access 34 Classifying data to determine risk profile for each source 34 Lack of apps for all required platforms (eg, there may be an iPhone app, but not one for Android) 25 Data unsuitable for remote access 23 Executive resistance to security measures 22 Lack of resources to develop needed apps/access methods 21 Legacy systems are prohibitive 16 Lack of mobile access for some locations 12 Other 1 We do not face this challenge 518 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Besides your job title, what determines which data are/will be made available to mobile devices? Select up to three. (% respondents) Availability of data 40 Departmental or organisational standards 32 Availability of mobile data access apps 31 Type of access method (on site vs remote) 30 Speed at which up-to-date information is required 29 Cost 23 Screen size of the device accessing the data 21 Regulatory compliance 20 User preferences 19 Other 3 What determines which users are/will be permitted to access critical data on mobile devices? Select up to three. (% respondents) Departmental or organisational standards 54 Availability of data 28 Type of access method (on site vs remote) 25 Cost 24 Regulatory compliance 23 Availability of mobile data access apps 21 Speed at which up-to-date information is required 20 User preferences 19 Screen size of the device accessing the data 9 Other 319 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe What are the most important influences on company policies and approaches towards creating a mobile device and application strategy? Select up to three. (% respondents) IT infrastructure requirements to accommodate mobile access 60 Pressure from executives needing anywhere/anytime access to data 44 Legal/regulatory requirements around data management 40 Pressure from security/risk management 39 Competitive pressure, wanting to be perceived as up-to-date by customers and competitors 31 Pressure from senior management who wish to use personal devices 23 Cost 19 Other 1 Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —C-level executives Select up to three for each role. (% respondents) E-mail 74 Financial information 60 Strategic planning 42 Competitive intelligence 35 Operational data 24 Sales and marketing 18 Customer information 10 Human resources 8 News or social network feeds 6 Other 120 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —Business managers Select up to three for each role. (% respondents) E-mail 75 Operational data 44 Sales and marketing 43 Customer information 30 Financial information 26 Competitive intelligence 23 Human resources 15 Strategic planning 13 News or social network feeds 8 Other 1 Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —Employees Select up to three for each role. (% respondents) E-mail 80 Operational data 42 Customer information 42 News or social network feeds 23 Sales and marketing 20 Human resources 17 Competitive intelligence 7 Financial information 7 Strategic planning 4 Other 121 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Which of these types of information/media are appropriate to be made accessible on mobile devices? —C-level executives Select up to three for each role. (% respondents) E-mail 81 Financial information 45 Strategic planning 28 Competitive intelligence 28 Operational data 22 Sales and marketing 19 News or social network feeds 15 Customer information 11 Human resources 8 Other 1 Which of these types of information/media are appropriate to be made accessible on mobile devices? —Business managers Select up to three for each role. (% respondents) E-mail 81 Operational data 38 Sales and marketing 37 Customer information 25 Competitive intelligence 19 Financial information 19 News or social network feeds 17 Human resources 14 Strategic planning 9 Other 122 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Which of these types of information/media are appropriate to be made accessible on mobile devices? —Employees Select up to three for each role. (% respondents) E-mail 82 Operational data 35 News or social network feeds 33 Customer information 33 Sales and marketing 18 Human resources 12 Financial information 5 Competitive intelligence 5 Strategic planning 3 Other 1 Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —C-level executives Select up to three for each role. (% respondents) E-mail 60 Financial information 27 News or social network feeds 25 Competitive intelligence 23 Operational data 21 Strategic planning 21 Sales and marketing 19 Customer information 14 Human resources 7 Other 223 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —Business managers Select up to three for each role. (% respondents) E-mail 59 Sales and marketing 33 Operational data 29 News or social network feeds 26 Customer information 22 Competitive intelligence 16 Financial information 14 Human resources 12 Strategic planning 6 Other 2 Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —Employees Select up to three for each role. (% respondents) E-mail 62 News or social network feeds 34 Operational data 28 Customer information 25 Sales and marketing 17 Human resources 10 Competitive intelligence 7 Financial information 5 Strategic planning 3 Other 2 Does your organisation provide mobile access to data for each of the following groups? (% respondents) Yes No Don’t know All international locations 54 34 12 All locations in your region 67 27 6 All departments 56 37 7 All roles 35 58 724 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Does your organisation have policies in place for acceptable use of social networks (eg, Facebook, Twitter) on corporate devices? (% respondents) Yes 56 No 39 I don’t know 5 What policies does your organisation face around social network use on corporate devices? (% respondents) Executives may not discuss any facet of their work on social networks, but are permitted personal use 33 Only authorised spokespersons are permitted to access social networks on corporate devices 26 Executives have unrestricted access to social networks 19 Executives may not access social networks on corporate devices 18 Other 5 What is the ratio of time you spend on company-owned vs personal-owned mobile devices for your organisation? Drag the slider button to choose a relevant percentage split that reflects how each option should be weighted (eg, 60% to 40%). (% respondents) 100:0 90:10 80:20 70:30 60:40 50:50 40:60 30:70 20:80 10:90 0:100 Company owned 12 23 17 13 6 9 3 3 2 3 9 What kind of priority does your organisation accord to the following strategies? Rate on a scale of 1 to 5, where 1=High priority and 5=Not a priority. (% respondents) 1 High priority 2 3 4 5 Not a priority Investing in data services 27 35 25 9 4 Investing in mobile services 16 29 31 15 9 Investing in security services 37 32 19 9 3 © The Economist Intelligence Unit Limited 2012 25
    • Secure data access in a mobile universe In what ways is your company empowering access to critical data today and how might that change in the future? —Today Select one answer in each column for each row. (% respondents) Providing access to multiple types of data 60 Providing secure mobile environments to allow access to critical data 45 Enhancing secure access to data (eg, mobile device generated security tokens) 41 Training executives to use mobile data more effectively 36 Enabling customised mobile views of data 24 Providing mobile apps to access critical data on multiple platforms 20 Providing secure cloud-based environments for mobile use 20 Designing intuitive mobile user interfaces 15 Incorporating new communication/data access methods (eg, QR codes, NFC) 14 In what ways is your company empowering access to critical data today and how might that change in the future? —In the Future Select one answer in each column for each row. (% respondents) Enabling customised mobile views of data 58 Providing secure cloud-based environments for mobile use 57 Providing mobile apps to access critical data on multiple platforms 52 Designing intuitive mobile user interfaces 48 Providing access to multiple types of data 47 Enhancing secure access to data (eg, mobile device generated security tokens) 45 Providing secure mobile environments to allow access to critical data 43 Training executives to use mobile data more effectively 42 Incorporating new communication/data access methods (eg, QR codes, NFC) 47 What is the proportion of critical data you access over What will be the proportion of critical data you access mobile channels today? over mobile channels in 12-18 months? Total should be 100% Total should be 100% Average Average Mobile via smart phone 26.9 Mobile via smart phone 34.5 Mobile on other devices (eg, tablet) 21.7 Mobile on other devices (eg, tablet) 30.2 Non-mobile access 59.8 Non-mobile access 42.826 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe In the next 12–18 months, what does your organisation expect to do with access to critical data that it is not currently able to do? Select all that apply. (% respondents) Provide wider data support for mobile devices 47 Identify risks that are not currently apparent 46 Further improve business process efficiencies 45 Provide access to data from more data sources 44 Identify opportunities that are not currently apparent 40 Improve customer service 34 Speed up process improvements 33 Provide access based on user’s role and/or device type 32 Increase consumer engagement 27 Drive new revenue streams 23 Innovate on more diverse and timely feedback 17 Other 1 In which region are you personally located? In which country are you personally located? (% respondents) (% respondents) Asia-Pacific United States of America 27 23 Latin America India 9 10 North America Canada 29 7 Eastern Europe United Kingdom 3 6 Western Europe Germany 25 4 Middle East and Africa Singapore, Australia, Brazil, Mexico 6 3 Italy, Hong Kong, Switzerland, China, Nigeria, Spain 2 France, Belgium, Netherlands, South Africa, Finland, Japan, Malaysia, What are your organisation’s global annual revenues New Zealand, Portugal, United Arab Emirates, Chile, Sweden, Russia, in US dollars? Bahrain, Bulgaria, Colombia, Czech Republic, Hungary, Israel, Pakistan, (% respondents) Philippines, Poland, Taiwan, Thailand 1 $500m or less 45 $500m to $1bn 9 $1bn to $5bn 17 $5bn to $10bn 7 $10bn or more 2227 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe What is your primary industry? Which of the following best describes your title? (% respondents) (% respondents) IT and technology Board member 13 5 Financial services CEO/President/Managing director 11 27 Professional services CFO/Treasurer/Comptroller 11 8 Energy and natural resources CIO/CTO/Technology director 9 5 Healthcare, pharmaceuticals and biotechnology Other C-level executive 8 8 Manufacturing SVP/VP/Director 8 17 Consumer goods Head of Business Unit 6 3 Government/Public sector Head of Department 5 8 Telecoms Manager 4 15 Chemicals Other 3 3 Entertaining, media and publishing 3 Transportation, travel and tourism 3 What is your main functional role? Retailing (% respondents) 3 Education General management 3 30 Logistics and distribution Strategy and business development 3 17 Construction and real estate Finance 2 15 Agriculture and agribusiness Marketing and sales 2 10 Aerospace and defence IT 2 7 Automotive Operations and production 1 5 Information and research 3 R&D 3 Risk/Security 2 Procurement 2 Customer service 2 Human resources 2 Supply-chain management 2 Legal 128 © The Economist Intelligence Unit Limited 2012
    • Secure data access in a mobile universe Whilst every effort has been taken to verify the accuracy of this information, neither The Economist Intelligence Unit Ltd. nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this white paper or any of the information, opinions or conclusions set out in the white paper.Cover: Shutterstock © The Economist Intelligence Unit Limited 2012 29
    • London New York Hong Kong Geneva26 Red Lion Square 750 Third Avenue 6001, Central Plaza Boulevard desLondon 5th Floor 18 Harbour Road Tranchées 16WC1R 4HQ New York, NY 10017 Wanchai 1206 GenevaUnited Kingdom United States Hong Kong SwitzerlandTel: (44.20) 7576 8000 Tel: (1.212) 554 0600 Tel: (852) 2585 3888 Tel: (41) 22 566 2470Fax: (44.20) 7576 8476 Fax: (1.212) 586 0248 Fax: (852) 2802 7638 Fax: (41) 22 346 93 47E-mail: london@eiu.com E-mail: newyork@eiu.com E-mail: hongkong@eiu.com E-mail: geneva@eiu.com