Nearly half of all companies surveyed have no policy in place
Only about 14% of companies have a fully developed mobile device security policy for their corporate networks. Meanwhile, the number of IT security incidents involving cell phones and tablets is on the rise, and most companies have no plans to limit the use of personal mobile devices for work-related purposes. These are just some of the findings of B2B International’s Global Corporate IT Security Risks 2013 study, which was conducted among businesses located around the globe in collaboration with Kaspersky Lab this spring.
IT security incidents involving mobile devices already take many different forms, and can only grow more diverse and widespread over time. 6% of respondents to B2B International’s survey identified mobile devices as the source of at least one confidential data leakage over the past 12 months and while this may only be a 1% increase on 2012 figures, mobile devices caused more critical data leakages than either phishing attacks (5% of companies), employee fraud (4%), or corporate espionage (3%).
The reason is obvious; more mobile devices — smartphones and tablets — are being used at work on a daily basis. These devices are also often owned by the employees themselves, and so are used for personal as well as business purposes. Having important corporate and personal information (contacts, apps, etc.) to hand on one device is certainly convenient — but it does pose a substantial risk to company security. Nearly 65% of survey participants admitted that the Bring Your Own Device environment (or BYOD - where employees use their personal mobile devices for work) is a growing threat to the security of corporate IT infrastructures. At the same time, nearly 64% of companies do not have plans to impose any prohibitive policies on mobile devices, and about half the companies surveyed believe restrictive measures would be useless.
The use of IT security policies—internal corporate rules governing their use— for mobile devices, could greatly reduce the business risks associated with smartphones and tablets. But a well-developed mobile device security policy tends to be the exception rather than the rule. Roughly 41% of survey participants reported that their companies do have a policy, but not one that is fully developed, 32% of respondents planned to roll out a mobile device security policy in the future, and 13% said that they have no policy in place, and no plans to develop one.
One reason why these policies are not fully implemented may be a shortage of resources in terms of time and money. Nearly half (48%) of those who reported having a mobile device security policy in place said that insufficient funds had been allocated for this, with another 16% stating that no additional funds had been allocated at all.
How to make policies work
Effective Mobile Device Management (MDM) solutions, as provided through Kaspersky Security for Mobile, enable corporate policies to be remotely deployed and enforced, even on BYOD devices. For example, companies can choose to limit the list of applications that can be launched on a mobile device, or block attempts to redirect the user to a malicious website via a smartphone or tablet web browser. Containerization allows corporate data and applications to be isolated and encrypted, and in the event of loss or theft of the device, the container can be remotely wiped. Offering powerful anti-malware protection and unified management through a single console, Kaspersky Security for Mobile can be purchased separately, or as a feature of Kaspersky Endpoint Security for Business, the integrated security platform.