BYOD and Mobile Security: How to Respond to the Security Risks

June 04, 2013

Bring Your Own Device (BYOD) is a popular topic in 2013. The trouble is that IT is trying to understand the security risks and prepare strategies to either adopt employee-owned mobile devices or decide against it for security and data control reasons. The 160,000 member Information Security Community on LinkedIn conducted the survey “BYOD & Mobile Security 2013” to shed some light on the drivers for BYOD, how companies will benefit from BYOD, and how they respond to the security risks associated with this trend. With 1,600 responses, some interesting insights and patterns into BYOD were uncovered.


Chris Merritt: Hello, everyone, and welcome to this webcast where we're going to talk about the results from recent BYOD survey we did on LinkedIn.
I want to introduce my co-presenter, Chris Chevalier from Product Management. Welcome, Chris.
Chris Chevalier: Thank you.
Chris Merritt: So, audience, you won't have any difficulty remembering who is who here. We're both Chris's. We both work at Lumension, and we're very excited to be presenting these results to you.
In today's webinar, we're going to talk about the methodology of the survey, talk about some of the threats, the trends, and the strategies we see as a result of these surveys. One housekeeping note, Chris and I like to keep this very conversational, as you'll see as we go through this thing. So, if you have questions as we're going along, please put them into the question area up at the top of the screen there, and we'll answer them as we go along. So, you know, don't be shy, send us your questions.
All right, with that said, let me start by thanking the members of the LinkedIn Information Security Community for participating in this survey. Something over 1600 people, or 10% of the group participated, which is pretty awesome. Also, very special thanks to Holger Schulze for pulling this survey together, and for conducting it, and doing the analysis, and sending out the report. It was a great effort by him, and we really appreciate it.
So, with that said, let's start by talking about the survey methodology.
Here are some of the demographics of the respondents. The survey was conducted in April of this year, 2013 in, as I mentioned, the Information Security Community group in LinkedIn. We collected something over 1600 responses from information security professionals from around the world. So, you can see here that we had a lot of folks that were really in the IT specialty. We see that primarily the respondents were working for small-to-medium businesses. We see that they were predominantly in the software industry.
Chris Chevalier: You know, what I like about the results from a survey like this is we see the career levels, primarily specialist-to-manager really dominating the results set. So, these are answers from people that are down in the trenches. These aren't the guys that are up high and are thinking, "Oh, in theory, we're gonna do this, this, and this." This is really from the people who have to implement it, who have to think through the tough problems and come up with solutions.
Chris Merritt: They're the real practitioners.
Chris Chevalier: Hopefully it's…you know, gives us a little more honest view of what's really gonna happen.
There was a question there, someone asked if these slides would be available. I believe the webcast recording will be available.
Chris Merritt: Yap, the webcast will be posted afterwards. We'll be sending everybody a note as to where to get the slide deck and the webcast replay on demand. In addition, you can get the actual survey results, and I'll give you a URL towards the end of the presentation where you can download the survey results itself, or the report itself. So, all of that material will be made available. Thanks for the question.
You know, the other thing, Chris, that I…you know, we see a lot of BYOD, and so on and so forth, kinds of surveys these days. So, what's interesting, as you mentioned, this is really looking at the folks that are down in the trenches, so it's a little different than other surveys we've seen, right?
Chris Chevalier: Yep, absolutely. You know, most of the analysts and high-level, you know, thinker surveys go out and contact the same types, but this is, I think, being sort of grassroots and, you know, from LinkedIn, and really is kind of bringing us a clearer picture of what's really going on out there.
Chris Merritt: Yeah, okay. So, the other thing that we wanted to look at under demographics was kind of, where are the respondents and their organizations with respect to BYOD today?
Chris Chevalier: So, if we take a look here, you can see that if you're concerned that you haven't done a lot around BYOD yet, you're not alone. So, 60% of the respondents here said that they haven't done anything in their organization yet around BYOD, but they're thinking about it. Another good chunk of people, almost 50%, they're already starting to work on the policies and procedures, but you can see that around 35% are fully implemented.
Chris Merritt: And, it's also interesting, if you look down towards the bottom there, you'll see that 10%-ish folks responded that BYOD will not be permitted. That is an interesting stat.
Chris Chevalier: Yeah, that's definitely one way to deal with BYOD. And, I can imagine that organizations that deal in particularly sensitive data or have heavy regulatory coverage may want to take that route of not permitting BYOD, but that still takes action on the organization's part to not permit BYOD. If you look at the one right above that that says, "Not yet adopted, and no plans," those organizations likely have people bringing devices into the organization and connecting to assets, and there is no visibility or no management of that, whatsoever.
Chris Merritt: Yeah, not permitting it does require action as you say. I mean, if…the alternative really is gonna be the, what's called CYOD in some circles, the corporate devices. And, yeah, you're gonna have to be able to distinguish between those devices and set your networks up, and do a lot of the things we're gonna be talking about even in that case, right?
Chris Chevalier: Yap. I think organizations have to choose one path or the other, and it's not a decision that they should just sit out. It could be perilous to do that, actually.
Chris Merritt: Yeah. Okay, well, the other thing, I think, for everybody out there in the audience, as we go through the responses, it's kind of important to remember these demographics and kind of where folks are in their adoption curve, as we start to look at the responses to the questions.
So, with no further ado, we'll move on to the first section which is looking at current security threats.
Now, before we do that, I want to see if I can get a audience vote up there. So, you should see on your screen…you may have to push a button, I'm not certain. Has your organization experienced any mobile-related security problems? And possible answers, A: Yes, many, B: Yeah, some, C: A few, D: No, none, and E: I have no idea. And, look, that's perfectly legit. So, we'll leave this up while we talk about this section, right Chris?
Chris Chevalier: Yep.
Chris Merritt: Okay. By the way, if you have any comments about some of the experiences you've had with mobile-related issues, we'd really like to hear 'em in the comments, or up in that question section.
So, the first area that we asked about was: What are your main security concerns related to BYOD? And, we see at the top there, loss of company or client data at about 75%, closely followed by, unauthorized access to company data and systems at 65%, and then followed by 47% at fear of malware infections, although we do have to note that the lost and stolen devices are really close, and statistically maybe only 1% difference between malware infections and lost stolen devices.
Chris Chevalier: Yeah, and some of these things are related. With lost or stolen device, I think the fear there is not the cost of the device per se, but the data that's on it, the company data specifically. The malware infections…I mean, I'm glad to see that people are thinking in that line, but there are a few different ways…and I'm wondering if people interpreted this as, are they worried about malware that runs on iOS or malware that runs on Android?
And, those are certainly concerns, and malware that is native to those devices can be an entry point, for sure, for malware, but there are a couple other ways that these devices also allow the introduction of malware. One is that people connect these physically to their computers, to their endpoints, and they show up as removable storage devices, or a portable device that they can sync with. And, they might have…you know, that's a transport mechanism for malware that isn't native to the device, but could get itself onto, you know, a Windows machine, for example, and work its way into the organization.
Chris Merritt: So, it's really the propagation via the network access that you're talking about. So, we have the native concerns, and then the connection concerns. Anything else?
Chris Chevalier: And then...yeah. To go even further, you know, everyone's got their email on their device. And, if you're connecting to your corporate email server, well, you know, that's a perfect entry point for malware to get itself into the organization and spread itself everywhere right away. So, it doesn't even have to be iOS malware or Android malware that you're concerned about. You have the same concerns as you do with a USB stick or anything else.
Chris Merritt: Yeah, and, in fact, spear phishing, if you do compromise somebody's email address via the mobile device, and spear phishing becomes pretty trivial, doesn't it?
So, the other thing that I noticed in here, Chris, is that the compliance with industry regulations was down…what? Sixth place here, something like that, down around 25%, 30%-ish. That kind of surprised me a little bit.
Chris Chevalier: I think that…it surprises me as well, but it might be reflective of the state or the phase that organizations are in, that they're just starting to think about this. Industry regulations don't even necessarily have to be updated to apply to mobile devices. The way that regulations are written includes mobile devices already, and therefore, you know, the way that you manage mobile devices is subject to regulatory compliance issues. And, companies just may not have thought that far through it yet or had that concern, but, you know, we are hearing from customers that they need to be able to show in an audit that their phones, the devices that they're managing are at least password-protected so that the data on there is secure.
Chris Merritt: Yeah, there's both the compliance issue and then, you know, the data loss issue. I mean, it's kind of, you know, two sides of the same coin. I mean, you know, we know that IP is very valuable, customer lists, your design plans, your marketing plans, those sorts of things. If those get leaked out, that's a problem. And then, every company has employees, and employee data is just as protected under the law as customer data. So, you have a lot of different reasons why data protection becomes a concern there.
Let's move on and look at the next area: negative impacts of mobile threats.
So, here we looked at…it's kind of the same question we have in the poll. The biggest mobile threat negative impact that folks talked about were the need for additional IT resources to manage them, at 33%, and that's there at the top. And then, we see, kind of trailing, next actually is, none, at 28%.
Chris Chevalier: So, no, negative, either you need more people, or it has no impact at all, or you don't know. That's for sure. I kind of went to the reduced employee productivity answer here, and just, I was curious why that was a concern for people that employees would be less productive, because if you look at non-business use of devices, the top ways that people spend their time are gaming, checking the weather, streaming video, that sort of thing, and they have all that available to them really at their desk already, those time wasters, and temptations, and diversions are already present in their organization. So, I don't know…it'll be interesting to see if mobile devices increase that lack of productivity at all, but I feel like it's already there. Maybe it just makes it a little more convenient.
Chris Merritt: Yeah, I'd be curious to hear what the audience has to say, that, do you see time wasting on mobile as being a bigger issue than on your desktop, or laptop, that sort of thing? If so, why? That's a very curious result, I agree.
Chris Chevalier: And then, the other thing that I thought was particularly low here, which ties back to the regulatory and compliance discussion we just had, is that the company had to pay regulatory fines. You know, that…as I said, you have the same concerns here as you do with a removable hard drive, or a flash memory device, or something like that. If you lose the data that's on or accessible to buy the phones, you know, you're subject to the same sort of penalties and liabilities that you would be, you know, as if you'd lost a laptop or a hard drive.
Chris Merritt: Yeah, and, in fact, earlier this year, HIPAA ruling came down fining a organization out East. I think it was a million dollars for loss of data on a mobile phone. So, you know, we're definitely seeing the regulatory environment amp up to consider mobile devices. I suspect that the low response here is good news for organizations that they're managing these things properly or sheer luck. So, definitely want to be thinking about that as you're putting together your BYOD and mobile accommodation plans and policies.
Okay, well, that's the end of this section. I want to go ahead and close the vote on the first question we had there.
All right, so the results...let's see here. D: No, none, 33%. C: Yes, a few, 29%. B: Yes, some, 9%. A: Yes, many…there's some honest folks, 3%. And then, finally: I have no idea, at 26%.
So, that kind of is a little different than the results we see in the survey results, but kind of queue the line.
Chris Chevalier: Be curious to find out what's behind the "Yes, many." I'm sure there's plenty [SP] of stories there.
Chris Merritt: Wow! Yeah, I'd love to hear some stories, if you care to share.
Chris Chevalier: So, we did get a couple of comments on the productivity issue, and some people are saying, "Yeah, I could see lots of productivity for a while when people get a new toy." You know, that definitely is the case. I got a new phone recently, and it took us about a week to get acquainted with each other and get used to each other. But, you know, I think that kind of thing is just…that's gonna happen and we'll drop off. So, normal productivity hit of any new software or device that you're getting now, that makes sense. I think my last MS Office upgrade will get my productivity up, as well.
And then, there was another comment that studies have shown short periods of gaming can actually increase productivity. So, that might be true, but that might be a hard sell.
Chris Merritt: Yeah, I would agree with that. I'm not sure my boss would, though.
Chris Chevalier: Exactly.
Chris Merritt: But, great comments. Anything else there, Chris?
Chris Chevalier: I think that there's another comment basically about the temptation to do personal things because you have this personal device that has business and personal next on it. So, people might spend more time on social media and that sort of thing, but, you know, that might also be true. Personally, you know, as I walk around the office, I see plenty of people not being shy about being engaged in social media, you know, in any organization really.
Chris Merritt: Yeah, and I think we'll touch on this a little later. But, certainly the flip side of that is that I also see lots of folks out at dinner reading email, work email, or while on vacation, we certainly see a lot of discussion about the blending of work and personal life across 24 hours. So, yeah, I think there's both sides to that.
So, interesting discussion. Keep the comments coming, we love 'em, and we'll carry on.
Let's see, the next area that we want to talk about are the top trends and drivers that we kind of gleaned out of these results.
Before we move into that, we're gonna open another poll. On this poll, which you should see up on your screen now: How many of you have a password on your devices which has access to company data? So, you know, mobile phones or that sort of thing that can access company data, do you have a password on it? And, you might have multiple devices. So, again, the answer is: Yes, all of them, Yes, most of them, Yes, all except my smartphone, and D: No, not yet.
Chris Chevalier: We all know what the answer should be, but be honest with your response.
Chris Merritt: Okay, we'll leave this up for a little while, and carry on here.
The first area under the drivers that we want to look at were the main drivers and benefits that organizations expect to get from a BYOD policy. And, what we see here is most of them are about keeping employees happy and productive. So, we see, greater employee satisfaction at 55%, improved mobility at 54%, and increased employee productivity at 51%. Statistically, somewhat different, 54%, 55% probably statistically the same, 51% maybe a little different. What we also see, though, is kind of a concern about business enablement vs. the cost of doing that.
So, when we look down towards the bottom there, we see reduced endpoint and device hardware costs, reduced operational support costs as weighing in, but not quite as important. So, organizations seem to be looking at the bright side as it were.
Chris Chevalier: Yeah, the employee satisfaction is a big one. I think that people expect to be able to use their device at work, for work. And, you know, I can see the employees saying, "Hey, I got this phone. I can get email on it. Why can't I use it for work? Wouldn't the company want me to have it with me, you know, so I can do more work? Why would they complain?"
And, the IT department doesn't want to be the bad guy and say, "No, we're not going to allow you to use your smartphones in our organization." So, you're driving toward employee satisfaction. You want to facilitate this, but this leads to the standard challenge in implementing any sort of new technology like this. You want to provide a lot of information, you want to be flexible, give users options, but you have security concerns and you need to understand, you know, how are you going to control and limit that, but at the same time, you're enabling? And, that's quite a challenge.
Chris Merritt: Yeah. As you say, it's the standard security conundrum: How do I enable business while ensuring that security is met, both from an internal perspective: I don't want my company IP out on the street, and from a regulatory perspective? And, I think a lot of that comes down to some of the things we talk about in other areas of security: What kind of organization are you? Permissive? Moderate? Stringent?
Chris Chevalier: Yap, and that will dictate a lot of your mobile policy as well. You know, the stringent security companies may be the ones that say BYOD will not be permitted at all, and they'll make an effort to go out of their way and eliminate that. Permissive companies may say, "Have at it. We're just going to put a couple of little requirements and caveats on you."
Chris Merritt: Yeah, and certainly every organization has to understand what their risk appetite, what their risk tolerance is, and build their policies around that. You know, there is no one-size-fits-all kind of situation there.
So, as we go forward, and they're talking about a lot of these drivers, and threats, and everything else, I mean, you have to keep in mind, where are you on that continuum, from permissive, from moderate to stringent, and how does that then impact how you're going to build the policies that you're going to implement in your organization?
Chris Chevalier: You know, what I'd be curious to understand here is how BYOD is going to reduce operational support costs for your organization, unless that's just simply moving from a corporate-owned device model to a user…you know, employee-owned device model. I guess I can see that, but I wonder if there are other ways in which BYOD would…you could show as a cost reduction.
Chris Merritt: Yeah, there are a lot of studies out there looking at the total cost of ownership issues of BYOD vs. corporate-owned, and they're coming back rather…well, it's difficult to say. I've certainly seen somewhere the BYOD is more expensive, and somewhere the overall corporate-owned costs are higher. It really depends on how things are implemented. Some of the costs that folks look at are the provisioning, the ability to control the roaming costs and other costs like that. It also depends, it seems, on what kinds of employees you have. Are you looking primarily at folks that sit at their desks, or do you have a lot of people out in the field? So, I think there's a lot of variability there.
So, let's move on Chris, maybe to…here we go.
All right, the next area we looked at is, what mobile platforms are being supported out there today? And, these results are both very unsurprising and somewhat surprising. So, at the top here we see iOS from Apple, closely, relatively speaking, followed by Google's Android.
What's surprising to me, Chris, is seeing Blackberry and Microsoft up there.
Chris Chevalier: Yeah, I think, well, Blackberry obviously pretty deeply entrenched in organizations. And, while they may be, you know, losing…well, they are losing share to the other two, then I think there's still a lot of residual stuff out there. And, honestly they're making a yeoman's effort at a comeback with some of the newer devices and technologies. So, you know, I wouldn't count them totally out of the running yet. I would say that the Windows entrance, though, is pretty recent, and that's a fairly high [inaudible 00:26:50].
Chris Merritt: I mean, that's very interesting and…yeah, especially considering, you know, remembering the demographics of the folks that responded. If you look at overall market share, certainly Windows is a distance fourth or fifth, but, yeah, I think the recency of the survey, with respect to Windows 8 Phone out, all of that.
Chris Chevalier: When I see a question like this, is…I guess, when I see…this is what people think that they support, but the fact is, if you are not out-and-out preventing anything, it's probably happening, anyway, and maybe you're not supporting it, but you should either support it or prevent it, I guess is my point. It's all-or-none. Are you keeping other devices? You say I only support Apple and Android…iOS and Android. Are you somehow preventing other devices from connecting to your network? Because, really you're sort of supporting it [SP].
Chris Merritt: Yeah, I mean, the policy has to look at both the positive and the negative sides of that. I mean, like you say, if you're supporting iOS and you don't want to support the others, what are you doing to prevent them? If you're going to be open and support every platform, or the major platforms, then you're adding complexity, you're adding cost, you're adding some level of operational difficult. So, you have, you know, a bit of issue there that you're gonna have to resolve, again, based on what it is that your organization wants to do, and how agile your organization is. I mean, you know, do people want to have the latest phone every other month? If so, you may be forced into a situation where you've got to support all of those platforms.
I think the…
Chris Chevalier: What we do see some people do is draw a draw a line and say that, "We'll support Android, but not before a certain version, or iOS, but not older than this," and they want…organizations want like, some level of maturity, or some, you know, minimum patch level of the OS to be present in the network.
Chris Merritt: Yeah, and that's especially important on the Android side, because…there was a map I saw of the fragmentation of Android versions, and it was incredible. You couldn't even show that on a standard screen. It was too fine, the separations.
Okay, let's move on and look at the IT infrastructure support now. So, this is…we've looked at the platform support. Now, what infrastructure is being developed to support the BYOD and smartphone movement? And, what we see here is that 45% of organizations are embedding personal mobile devices via guest networking or some sort of separate network. Interestingly, almost 30% of folks have no specific infrastructure.
Chris Chevalier: I think that right there is probably the concern, because you have clearly more control over the endpoints that you owned and those that you don't, and do you want these endpoints to have the same access level that, you know, your traditional desktops or even your laptops have within the network? And, I think, you know, rather than just granting these devices carte blanche to the entire standard network, why not set up a guest network where you're limiting their access a little bit, hopefully providing them with the capabilities that they've asked for and that you need to provide them with. But, limit your liability. You know, make it so that you can't get to certain information.
Chris Merritt: Yeah, absolutely. Now, we didn't do any cross-correlations on these data, so I can't tell you whether that 30% include the folks who say they have no plans adopting BYOD, and those who are just in the beginning kind of thought level stages. One suspects that's possible, but I think, for the audience, the thing that Chris is talking about may…you know, again, as a consideration as you're developing your policies, how is it that you're going to allow BYOD into your organization safely and securely? And, it goes beyond just, "Gee, we're gonna save some money by making the employees buy their own devices." You have to set up these networks to accommodate the access so that you can control what it is that folks are downloading and pushing out onto their phones.
The other thing that I kind of wanted to bring up, Chris, and we had talked a little bit briefly about this earlier, was, what does the application repository answer mean? I'd be really curious to hear if our audience has any experience in that. Maybe some of the folks who took the survey and responded with that could tell us what they had in mind.
Chris Chevalier: Yeah, I was thinking about that myself, and I wondered…and it actually seemed like a clever solution to me for an organization, would, rather than just permit network access to all the resources on the network, maybe the organization develops an app for its employees, and that is the channel through which they have access to company data. And, that might provide more control for the organization over your ability to monitor and control what happens as the employees are interacting with the corporate data, if they're doing it through your own proprietary app. So, when I read that answer, I wondered if that was actually happening out there, and if that was the case, rather than letting them use commercial apps, and have full network access, just providing them with a corporate app that gives them the information and the tools they need, and nothing more.
Chris Merritt: Yeah. Okay, moving along. The next area that we looked at were the most popular business applications. And, not surprising, the top answer, at 80% somewhat, was: Email, calendar, and contacts. What do you think of that, Chris?
Chris Chevalier: I think that's a pretty safe assumption, but those are the common denominators that everyone's going to want access to, email, calendar, and contacts, of course. But, I think that you will find, if you go around to different roles, different departments within the organization, that you'll find you'll have power users in certain areas. So, the marketing department may be particularly high users of something else, sales might be the CRM system, for example. You know, they may spend more time in that than they do in email, calendar, and contacts, or…you know. So, you may find that, while that's the common thread, that there are some other areas that you're going to see heavy usage of, and need to maybe bolster your support around.
Chris Merritt: Yeah, I think, you know, generally speaking, these results mirror results I've seen in other surveys. I think another thing to consider here is, what is currently really feasible or useful to do on a mobile device vs. what you would do on a laptop? You know, doing heavy duty editing on a phone is difficult, doing some lightweight editing, feasible, doing heavy duty use of applications, I mean, for instance, CAD/CAM, or something like this…I mean, that's a ridiculous example, but you get my point that there are areas where it's just difficult to do some stuff on a mobile phone vs. a laptop. So, that also, I think, colors these results.
Chris Chevalier: One thing that's sort of flying under the radar here, and this ties in with a comment that someone had sent in on record retention policy for emails, is the cloud backup answer. And, obviously the owner of the device has the capability to back his device up to his preferred cloud solution, and that would then include corporate data. And so, that cloud backup capability and the parameters under which that operates might be something that you, as an organization, want to control or manage, or at least dictate by policy, because that's your data going into their backup.
Chris Merritt: Yeah, we certainly see a lot of discussion around that these days, kind of the so-called Dropbox problem. We're seeing it around desktops, we're seeing it around mobile, we're seeing in a lot of places, so, you know, definitely something that, as practitioners, you want to keep an eye on. To a certain extent, it's almost invisible to you. So, you know, the first step to solving a problem is acknowledging that you have one, and that requires some sort of visibility.
Chris Chevalier: Yeah. Just to finish up on that comment, it says…touch on record retention policy for emails, I don't know that it would be any different in the case of BYOD, but you do…I mean, you have those emails on those devices. If you have a policy where you don't want employees retaining email records, then, you know, that's another thing that you need to think about, because they could live on that device for some time, not as long as they will on your traditional endpoints and, you know, within your mail server, and that sort of stuff, but they could get backed up and then still exist.
Chris Merritt: Yeah, and, of course, the converse issue is there are a lot of industries where retaining email for a certain period of time is required by law. And so, you know, again, if you have limited storage on the phone, the question is, "Okay, how are you going to create the system so that when folks are using their phones for email, which, you know, they obviously are going to do based on these results, how are you going to retain those emails for regulatory compliance?" So, again, from a policy perspective and from a design perspective, you need to keep that in mind as you're going down this path. Again, this is not just, "Hey, gee, I'm gonna allow a new phone into the system." There's a lot of bits and bytes that you're gonna have to work out.
Okay. The other thing I wanted to point out, Chris, is that, you know, we're looking at business apps here, and there are a lot of surveys out there on what folks do with their phones when they're not doing business. What do you suppose number one is?
Chris Chevalier: I'm gonna say gaming.
Chris Merritt: Gaming it is. You're correct, sir.
Number two, interestingly, was weather. And, you know, I don't see, on this particular results, anything on traffic, but I suspect traffic is right up there.
Chris Chevalier: I would imagine.
Chris Merritt: So, yeah, some results, you know, they vary, of course, but I have some stats here from Digital Buzz. They were very interesting. And, you know, social networking was right up there, music was right up there, news, you know, middling [SP] down at 36%, entertainment right around the same area. So, lot of stuff people do on their phones is not work-related.
Chris Chevalier: Just on a side note, do you think weather was as interesting before mobile devices? I feel like we didn't spend as much time on it before we had phones.
Chris Merritt: All right, let's move on now to the success criteria. So, what is it that organizations will use to determine the success of their BYOD deployments. And, what we see here is that maintaining security at 70% was number one, improving or maintaining employee productivity was second at 54%, followed at around 44%, usability, and then it drops off from there. So here, again, we see kind of that bifurcation, that operational concern vs. the security concern.
Chris Chevalier: Any time I see success criteria, the next thing that pops into my head are the metrics and the goals that you're going to use to determine whether your project was successful. And, in some organizations, maybe you're required to do that and show, you know, the success rate of a program. But, even if you're not, it's worth doing, and I'd be curious as to what some of the metrics involved behind security would be. I mean, maybe it's a low level of malware introduction, like we talked about, or no, you know, data loss incidents, or something like that, but I would maybe look at the metrics that you have in place for the standard organization, and see what you could adapt and use for the BYOD program, for your mobile program, and establish…you know, set up some goals and measure that so that you can understand and prove internally that this has been successful. Employee productivity, you may want to look at people who are using email in off hours because they have their device with them and they can answer emails, you know, who wouldn't otherwise do that if they didn't have that access.
Chris Merritt: Yeah, I'd be interested to hear if anybody in the audience has any experience in putting some KPIs together for a BYOD deployment, what their experience there is. I think you're absolutely right, Chris, that you're really looking at existing success criteria, and now trying to extend those into the BYOD area. But, you know, as you do those things, they do have to inform on that policy creation and the tools you're gonna use to enforce that.
The area that I found interesting here, Chris, was innovation at about 19%…call it 16%. It's a very interesting result, and I'm wondering what folks had in mind when they were thinking about innovation.
Chris Chevalier: Yeah, I was curious about that, too, and I'm not sure what organizations are planning to innovate as they roll out their MDM and BYOD support programs, but I'm anxious to see something new emerge.
Chris Merritt: Yeah, and I think, you know, in my mind, something like American Airlines getting rid of the flight manuals that all the pilots carry, and replacing them with a tablet. And so, they've reduced the weight on the plane by something like a hundred pounds. So, I mean, a hundred pounds, not that big a deal the guy. The guy who sat next to me on the last flight probably ate that hundred pounds up. But, it's interesting that they're thinking this way, and innovating using these new technologies, and putting them in the hands of employees that are out in the field, and, you know, using them to do their jobs better.
Chris Chevalier: That's true. I mean, if you consider that everyone has a smart device in the organization, and that does give the organization the opportunity to come up with new ways to help people get their jobs done.
Chris Merritt: Yeah. Okay, let's move on here and look at readiness for BYOD adoption.
This is a difficult chart to read. Basically when you crunch the numbers, what you see is that a majority of the organizations say they're less than 50% ready to adopt BYOD into their enterprise. So, you know, the converse or flip side to that is, most organizations seem to be worried about being ready for BYOD.
Chris Chevalier: Yeah. I mean, I think you hit it right on the head. Most organizations understand they're not completely ready, and may never get to 100% ready. I mean, you may have to start before you hit 100%.
Chris Merritt: Yeah, I mean, there are a lot of angles that you got to be concerned about. I mean, you got to worry about your compliance regimes, both your internal security policy or existing security policy, and whatever regulatory things are out there that you have to comply with. What else?
Chris Chevalier: I mean, there really is a lot to do if you wanna be 100% ready and have done this right. Like you said, there's so many aspects to the policies that, you know, just the written policy that you want to put in place, never mind the whole project of going about trying to enforce that policy, but just establishing a policy in the first place, there's so many angles and aspects, too, that need to be covered both from the positive and the negative, and, you know, we talked about going around different stakeholder groups who would be utilizing BYOD, and understanding what their needs are, and how you can amply provide for those needs and still, you know, within the confines of common sense security. So, I think it's a giant project to be ready, to say that you're ready.
Chris Merritt: Yeah, we'll talk a little bit more about that in a second. Let's go ahead and stop the voting on question number two, and take a look at the results here.
Wow! This is interesting. So, again, how many folks have passwords on all their devices? And, by far, the biggest response, 63% said, "A: Yes, they have passwords on all the devices."
Chris Chevalier: These are smart people, Chris. These are IT professionals.
Chris Merritt: Yeah, I like it. Some, B: Yes, on most of them, and D: No, not yet, 15% each, so, some honest folks there. Perhaps, after this webinar, they'll go off and put passwords on their devices. And then, interestingly, C: Yes, all except my smartphone, got 8% of the vote.
And, I think you talked about this, that what you're hearing from customers is that getting a password on devices is like, the first question auditors ask, right?
Chris Chevalier: It is. It's one of the first questions, and one of the easiest things you can do, but to be honest, this survey is about the inverse of what we see from the general population, or other surveys. Believe it or not, such a simple thing as setting a password, the majority of mobile device users don't have a password on there. I don't know if it's too disruptive, it takes them an extra five seconds to enter their password, but they…I've heard users that really object to setting a password up on their device, and it boggles my mind actually. I don't…
Chris Merritt: All right, let's move on to…look at our last section: What are the strategies that you need to implement to minimize the risks of BYOD deployment?
Before we move on, I'm gonna open the final poll question: What is the greatest barrier to securing mobile devices in your organization? A: Budgetary constraints, B: Legal or HR issues in policy establishment, C: Resources for implementation, scheduling, etc., D: Lack of C-level support, and E: Other. And, if you have other, put your answer in the question so that we can look at those as we finish up on this webinar.
Chris Chevalier: So, one question that was sent in, that sort of relates to barriers to rolling out your BYOD program, somebody asked, "Does the fragmentation in Android that we talked about cause an issue with a company when they're employing BYOD?" And, as you mentioned, there are a myriad of versions of Android on the market. And, you know, I mean, I know what the devices in our organization look like. And, even just within the, you know, relatively small company that we are, we have a huge array of Android versions. And, really…I mean, I think, one approach to that, as we talked about, is just to understand where there are security risks, and try to enforce policies that don't allow certain versions onto your network.
Chris Merritt: Yeah. As you mentioned, you set a threshold, you have to be at X or above in order to connect to the network. That's not to say that folks can't bring their phone in to work and use them to do their personal stuff, but they just can't access the work assets, the email and other things. And so, in essence, they'll self-regulate theirselves up to become more productive and be more useful.
All right, let's carry on here. A little bit of kind of, where our folks today? Current BYOD state? "Describe your organization's policy today?" Slim majority support company-owned devices. BYOD is clearly on everyone's radar here.
So, I think, you know, as such, this really mirrors kind of that demographic data that we saw up front.
Chris Chevalier: Yeah, I think…so, where it says that there are currently no plans to use private devices within the next 12 months, again, it probably matches up with the stat upfront of "BYOD will not be allowed." So, I think, you know, there are your stringent security companies.
What I think is a little maybe underrepresented are, "Privately-owned devices are widely in use, but not supported by the organization." That's the 60% that are thinking about it, because your users are bringing those devices in now, and connecting. I mean, they're getting their company email on that device, just not in a managed way, you know.
Chris Merritt: Right, yeah, not being controlled, which is a good segue into the next area, which is, "What are your current BYOD policies? What do you have in place?" And, what we see is that central management of mobile devices and applications is number one, is around 39%, but interestingly, 32% of organizations say they do not have any policies or procedures in place, and that's a little different than that initial demo that we saw.
Chris Chevalier: Yeah. Again, and maybe some of this will come out in what [SP] are the barriers question, and we're starting to get some comments on that, so thanks for those. We'll go through those in a second. But, yeah, not having any policy in place, that's unfortunate. I mean, at least, you know, we should try to get some basics in there. As we said, the policy can be really complex and really over-burdensome [SP], and maybe it's stuck in legal, and, you know, all that, but maybe it's something you do iteratively.
Chris Merritt: Yeah, I think that this is…you know, rolling out BYOD and thinking about it from a security standpoint, it's no different than rolling out any other technology and thinking about security. You want to bolt it…you don't want to bolt it on, you want to plan it in as you're getting ready to roll it out, you've got to think about a lot of these issues, these threats and drivers that we've been talking about, and then build the layers in to your policies and your people, your training of your people, and the technologies you use to start to establish that control so that you are less likely to have an event.
I mean, bottom line is it's about risk mitigation, and we talked about the different risk tolerances of different types of organizations. We're not saying that everybody has to clamp down on BYOD. What we're saying is: Understand what your risk tolerance is, and then have an appropriate set of policies and procedures that you can enforce to make that happen.
So, let's go on and look at what solutions folks have deployed, and this is interesting. So, 32% of organizations have on-premise BYOD solutions, while something around 28% have hybrid of a cloud and an on-premise. And then, 15%-ish, 14%-ish have cloud only.
Chris Chevalier: I think this is just a case of you're doing something new with BYOD and MDM. Is it time to also do something new with technology? You know, maybe two new variables is too much, and you choose an on-premise or a hybrid solution, and you go with what you know and take that sort of variable out of the equation, and, "Let's get it up and running," and then…
Chris Merritt: And then worry about the technology. Yeah, makes sense.
Moving along, policy coverage, what's your policy include. And, number one, of course, email accounts at 50%. Access and authentication, so presumably passwords, and stuff like that, is number two at 47%. And then, acceptable use and employee education at 42%.
Chris Chevalier: Device wiping shows up here as well, and there's a comment or question about that. There's always the issue of, they've got their data mixed with your data, and if they leave or they lose their device and you need to wipe it, you don't want to wipe their data off of the device because you don't want them, you know, to be upset and come back at the organization for that. What we are seeing being written into the policies where, when you sign the policy that's included in there, that the organization has the right to do that, and so, I mean, I think that's just a…
Chris Merritt: Yeah, this is one of those areas where you definitely need to make sure you're getting your legal department or counsel involved. This is actually an area of evolving precedence. I'm seeing cases now coming out where a policy that dictates that the employee buy [inaudible 00:56:35]. In other words, you're required by job to buy the phone, and yet the company gets all the options as to what you are allowed to do with that phone is considered coercive, and thus not enforceable. It's a non-enforceable contract. So, you know, think about the legal aspects of this stuff, and make sure that you're getting that advice as you move forward.
Chris Chevalier: So, I think really here, your policy should include all of these aspects, you know, at some point. You really need to address these, "Either it's supported, it's not supported. Here's what we can do, here's what we won't do," that sort of thing.
Chris Merritt: Okay. So, moving along: What are the tool requirements for a mobile device management tool that you might implement? What capabilities? Logging, monitoring, reporting are the most required features, and we see that, you know, they drop [inaudible 00:57:26].
Chris Chevalier: …there. You've gotta have that visibility up front. But, what I would encourage people to do is determine their capabilities based on their policy. So, set up your policy first, figure out what you need to enforce, and then look for those capabilities. Don't drive it backwards and shock first, and then determine what you want based on what you see.
Chris Merritt: Yeah, absolutely. And, as you're developing that policy, there are a lot of resources out there. And, one that I might suggest for folks who have a relationship with Gartner, they have a BYOD mobile device policy template that they put out last year. It's very interesting, and they really kind of walk through a lot of the stuff we've talked about. You need to engage your stakeholders, you only need to include those policies that pertain to your organization, so don't overbuild it, don't overthink it. Don't adopt policies you're not gonna be able to enforce. It's a waste of time. You need to periodically review your policies and update, depending on, you know, what's happening in your environment. And, make sure that you're training your employees.
Chris Chevalier: So, some of the other barriers that people…took the time to type in here. I just wanted to cover employee sense of confidentiality, their personal information, if organization is being Big Brother, well, if you want in to the company data, I think you have to go with that a little bit. Understanding what the real security threats are to the devices, or from the devices, the organization, the network from rogue cell sites even.
Chris Merritt: Yeah.
Chris Chevalier: Multiple barriers, lack of understanding, the cost/benefit. That's a hard one to characterize. Trying for a silver bullet IT solution, well, there hasn't been one to date for anything else, so I doubt that you're gonna find a silver bullet here. It is, as this person points out, a combination of process changes, user awareness, accountability, technical tools. So, you've got to have that written policy, you've got to have the user education, and then something to enforce it with.
Chris Merritt: Okay, we're coming up at the top of the hour here, Chris, so I'm gonna go ahead and stop the last poll and look at the results. So, we asked, "What's the greatest barrier to securing your mobile devices?" We see that it's roughly evenly split between budgetary constraints, legal, and HR issues and resources at 25% each, and then lack of C-level support came in at 9%, which isn't surprising, because we know that BYOD movement really is driven by the C-suite to a large extent. And then, finally 16% of folks said, "Other." So, that kind of matches with what we see out there in other surveys, and what we would expect.
Chris Chevalier: Yeah, it looks like there's a smattering of issues, and there's no one single thing that needs to be overcome.
Chris Merritt: So, as your commenter said, you know, it's a combination of things, develop the policies, you know, consider how you're going to implement them, acquire the technology capabilities that align to that policy, and as with all of this security stuff, user education is still key.
So, we're starting to run over the hour, Chris. I wanted to let everybody in the audience know that we do have a lot of resources on the Lumension website, which you can access. There's a free Device Scanner tool, which could tell you how many of these sorts of devices might be out there. We have the blog, and we have the survey results, you'll see the link there.
So, with that, I'm going to end this webinar. Thanks for your participation, Chris.
Chris Chevalier: Thank you.
Chris Merritt: And, thanks to everyone out there in the audience. Have a good day.