US Mobile Security Survey

8/10/2019 US Mobile Security Survey

1/16

Filing Information: April 2013, IDC #240598, Volume: 1

Security Products: Survey

S U R V E Y

U . S . M o b i l e S e c u r i t y S u r v e y , 2 0 1 3

Phil Hochmuth Charles J. Kolodgy

John Grady Sally HudsonChristian A. Christiansen

I D C O P I N I O N

The views of U.S. enterprises on personal mobile devices (PMDs) vary widely

depending on the organizations' tolerance for risk as well as their general reliance on

mobility to drive productivity and revenue. To some IT-controlled firms, or organizations

that disallow PMD use, the acronym PMD is viewed as "potential mass destruction" with

regard to perceived risks of data loss or breaches associated with uncontrolled mobiles;

for many such organizations, mobility is too essential to the business to introduce risks

from unknown devices. For firms adopting the bring-your-own-device (BYOD) stance,

PMDs represent an opportunity to have a more empowering workforce while offloading

the cost of hardware, and potentially services, to the end users. However, many of

these organizations rely less on mobility as an essential technology for employees and

thus have greater tolerance for risk. U.S. enterprises use a wide variety of products and

services to secure their employees' mobile devices, and the approach, mix, and types of

solutions deployed correlates to the organizations' appetite for risk regarding PMDs, the

level of mobility among organizations' workforce, and the size of the organizations in

terms of employees and locations. According to IDC's recent study on mobility trends,

the majority (62.5%) of United Statesbased enterprises consider themselves BYOD

inclined, while a little more than one-third of enterprises are IT controlled when it comes

to PMDs in the workplace. Other key findings in the survey include:

Mobile malware is a top security concern among IT-controlled enterprises (68%).

Exposure of sensitive data (via "leaky" or misconfigured apps) is the top concern

among BYOD firms.

Organizations of all types see social media and cloud storage as the greatest

threats in terms of mobile app usage.

Mobile security services (from carriers or MSPs) are the least deployed and most

frequently "not planned" technology for protecting mobile workforces. However,

organizations that have experienced a mobile-related data breach are more likely

to install mobile security services to augment deployed mobile security hardware

and software products.

While three-quarters of enterprises see PMDs as a risk factor, two-thirds of

enterprises also say employees using PMDs have a good understanding of the

risks involved.

GlobalHead

quarters:5SpeenStreetFramingham,MA

01701USA

P.508.872.8200

F.508.935

.4015

www.idc.com


2/16


3/16

2013 IDC #240598 1

I N T H I S S T U D Y

M e t h o d o l o g y

IDC's U.S. Mobile Security Survey, 2013, is a Web-based survey of 200 IT decisionmakers at United Statesbased enterprises (with 1,000+ employees) conducted in

February 2013. Key questions and themes of the survey included:

Top mobile security issues and challenges

Key technologies enterprises are using, planning, and planning not to use to

secure mobile workforces

Vendor choices "core" versus "complementary" security technologies

Analysis of IT-controlled versus BYOD enterprises

Mobile security incidents and breaches experienced

The organizations surveyed spanned 14 different vertical markets, including

healthcare, finance, manufacturing, government, military, and education.

Respondents were required to be in a position to make purchasing decisions and/or

technical evaluations of mobile security products and services for their organization.

IDC's U.S. Mobile Security Survey, 2013, is the first of four surveys to be published

on a quarterly basis throughout 2013, with each survey focusing on each of IDC's

Four Pillar research areas: mobility, cloud, social business, and Big Data/analytics.

Following the 2013 U.S. Mobile Security Survey, forthcoming surveys will study how

cloud computing, social media, and Big Data/analytics are affecting enterprise data

and network security. These studies are slated for publication in the second, third,

and fourth quarters of 2013.

Note: All numbers in this document may not be exact due to rounding.

S I T U A T I O N O V E R V I E W

S u r v e y F i n d i n g s

The momentum behind the BYOD movement and the use of PMDs in the office have

been extensively chronicled in the technology and mainstream press. Empirical data

from our study backs up these trends. To gauge how enterprises are responding to

the influx of PMDs in the workplace, respondents were asked, "Which statement best

describes the state of mobile/smartphone usage in your environment?"

An IT-controlled environment is defined as one in which only corporate-issued

devices are allowed to access enterprise applications and data.

In a mix of IT-controlled environment and PMDs, both are allowed equal access

to enterprise network applications and data.


4/16

2 #240598 2013 IDC

A decentralized environment is defined as one in which devices are not generally

issued by the employer and any PMD is allowed to access corporate systems.

For data analysis purposes, we have grouped "mixed" environments and

"decentralized" environments into a single category calling them BYOD environments.

Nearly two-thirds (62.5%) of all respondents categorized themselves as BYOD

environments (114 respondents were mixed environments; only 22 respondents were

decentralized environments). Of the total survey base, just over one-third (37.5%) of

organizations were IT-controlled environments (see Figure 1).

F I G U R E 1

E n te r pr i se s ' T r en d T o w a rd B Y O D E n vi r o nm e nt s

Q. Which statement best describes the state of mobile device/smartphone usage in

your environment?

n = 200

Source: IDC's U.S. Mobile Security Survey, 2013

Regarding mobility, enterprises were asked to define the level of mobility among the

workforce as follows:

Highly mobile (>50% of employees travel frequently outside the office and accesscorporate with mobile devices)

Frequently mobile (3049% of employees are mobile or travel frequently)

Moderately mobile (1029% of employees travel)

Nonmobile (>10% of employees travel at any time)


5/16

2013 IDC #240598 3

Based on these responses, IDC grouped the categories into two overarching mobile

personas: "mobile oriented," which combines the categories of highly and frequently

mobile enterprises, and "mobile averse," which comprises moderate and nonmobile

enterprises.

Regarding company size, respondents were broken down into three categories:

Small enterprise organizations with 1,0004,999 employees

Medium-sized enterprise organizations with 5,0009,999 employees

Large enterprise organizations with more than 10,000 employees

From these basic characteristics, a clearer picture emerges of how organizations are

using and controlling mobile devices. Among IT-controlled environments, nearly half

of these organizations are considered "highly mobile." This indicates that in

organizations where a mobile workforce is critical for productivity and growth, control

over devices, and more importantly the data and apps on them, is a key requirement.

This might include organizations with a large road warrior workforce consultancies,sales teams, and field workers which drives business and revenue.

On the opposite end, only a quarter of BYOD enterprises categorized themselves as

highly mobile, although overall BYOD-focused enterprises were slightly more mobile

oriented than IT-controlled firms (72% of BYOD firms were also mobile oriented; 68%

of IT-controlled firms considered themselves in this category). Another way to

interpret this is that mobility has permeated enterprises at all levels; highly mobile, IT-

controlled enterprises do mobility "for a living" (it's a must-have capability);

meanwhile, BYOD-focused, mobile-oriented firms view mobility as more of a "nice to

have" capability (see Figure 2).


6/16

4 #240598 2013 IDC

F I G U R E 2

M a k e up o f E m p l o ye e B a s e i n T e r m s of L o c a t i on

Q. How would you describe the makeup of the majority of your employee base

in terms of location?


Data Breach Trends

A key question in the survey was, "Has your organization experienced in the past 12

months any data breach incidents (i.e., data loss or exposure of confidential

information) in which it was determined that the usage of a mobile device was a

factor." Based on respondents:

36.5% answered Yes and are considered Breached.

58.5% answered No and are considered Non-Breached.

5% of organizations said they did not know.

Whether a firm was IT controlled or BYOD had little consequence on the frequency of

mobile-related breaches (38% for BYOD firms versus 35% for IT-controlled firms). As

might be expected, 46.8% of mobile-oriented firms experienced a breach in the past

12 months, while only 11.9% of mobile-averse firms experienced a mobile-related

breach (see Figure 3).


7/16

2013 IDC #240598 5

F I G U R E 3

D a t a B r e a c h I n c i d e n t s A m o n g M o b i l e - A v e r s e a n d

M o b i le - O r i e nt e d F i r m s i n t he P a s t 1 2 M o nt h s

Q. Has your organization experienced in the past 12 months any data breach incidents (i.e.,

data loss or exposure of confidential information) in which it was determined that the usage

of a mobile device was a factor?


The majority of respondents indicated their organization had between one and nine

locations. Of these respondents, 37% had experienced a data breach. Thirty percentof firms with 1099 locations experienced breaches, while half of very dispersed

organizations with over 100 locations said they experienced a breach. Also

noteworthy, 8.7% of very dispersed organizations said they did not know if they

experienced a breach the highest rate among any of the three size groups.

The percentage of respondents who experienced a breach increased with regard to

the size of the organization from an employee standpoint as well. Fewer than 30% of

small enterprises had experienced a breach, while just over a third of medium-sized

enterprises said a breach had occurred. Among the large organizations with more

than 10,000 employees, close to half (49%) said they had experienced a breach.

Also, 10.4% of very large enterprises said they do not know if they had experienced a

breach, again showing that large organizations, whether measured by size orlocation, often have less visibility into the activities of their mobile workforce.

Security Product Choice for Enterprise Mobility

Respondents were asked to describe the status or plans for security product

deployments targeted at securing their mobile workforces. This included both mobile-

specific security solutions (such as mobile endpoint software or mobile security

services) and mobile management solutions (mobile device management [MDM] and


8/16

6 #240598 2013 IDC

mobile applications management [MAM]). Traditional security technologies that could

be used to secure mobile devices and traffic were also considered.

General security products, as opposed to mobile-focused tools, were the most

frequently deployed solutions for securing mobile workforces among respondents; at

54%, security functions in wireless LAN (WLAN) infrastructure was the most widely

deployed technology for securing mobile devices and users. This makes senses as

the initial first point of contact for an employee-owned device in an organization is

with the corporate WLAN. Many enterprises use common approaches such as access

control lists, passwords, and guest/quarantine WLANs to control how mobile devices

access the network. IT-controlled firms did this more frequently (64%) compared with

BYOD firms (48%), which suggests that the majority of enterprises, which are BYOD

focused, are opening WLANs up to end users' PMDs in the office.

Security gateway solutions Web filtering, firewall, UTM, and VPN technologies

were the second most deployed technology for mobile workforce security, as just over

50% of organizations are using mobile features in these gateways. (Relating to the

WLAN control trend, network access control [NAC] ranked fourth in deployments, at

45.5%.)

Mobile device management, at 50%, was the third most deployed technology. MDM

solutions are primarily management platforms, which control the configuration of mobile

devices and security tools. Enterprises see MDM as a valuable way to secure mobile

devices. In case of mobile applications management platforms, fewer than 40% of

organizations had deployed application containerization solutions, which allow for the

separation of work and personal environments on mobiles, tablets, and smartphones.

Security and managed services from wireless service providers or carriers (i.e.,

AT&T, Verizon) and security SaaS solutions represented the bottom tier, with fewer

than 40% of organizations deploying these solutions. Mobile security services from a

managed security service provider (MSSP) were deployed in 35.5% of all

organizations surveyed. Last, cloud or SaaS-based Web security solutions were the

least deployed technology for mobile security, with a little more than one-third (34.5%)

of organizations having deployed this technology. Interestingly, the highest frequency

of technologies enterprises said they had "no plans" to deploy were mobile security

services from MSSPs or wireless carriers (see Figure 4).


9/16

2013 IDC #240598 7

F I G U R E 4

O r g a n i z a t i o n s ' M o b i l e S e c u r i t y S o l u t i o n D e p l o y m e n t P l a n s

Q. Please indicate what plans your organizations has, if any, for deploying the following

technologies to address mobile security concerns.

n = 200


U.S. enterprises will more likely address mobile security challenges with on-premise

software/hardware solutions rather than with services and SaaS. In particular,

enterprises will leverage features in existing infrastructure, mobile management

platforms, and general-purpose security platforms to secure mobile workforces. While

mobile-specific security products, such as mobile endpoint software, are being deployed

and considered, these are largely secondary to infrastructure-based technologies.


10/16

8 #240598 2013 IDC

However, mobile security services and mobile-specific security products (such as

mobile endpoint security software) are used, or are being evaluated, more frequently

by enterprises that have experienced a mobile-related data breach. Among breached

organizations, 45% have security services from mobile carriers deployed versus 33%

of non-breached organizations. Also, 60% of breached firms say they are evaluating

or plan to deploy mobile MSSP services in the next 1224 months, while only 43% of

non-breached firms had similar trials/plans.

Comparing deployed/planned solutions between BYOD and IT-controlled

respondents, the greatest disparities among deployment between these two

organization types included application containerization solutions (49% deployed in

IT-controlled environments; 34% deployed among BYOD firms).

IDC's interpretation of the data indicates that IT-controlled firms take measured,

planned approaches to mobility in terms of buying and deploying security

technologies, in addition to having policies around not permitting PMDs on corporate

networks. BYOD firms are, as their nature indicates, less restrictive and less

frequently deploy products to limit and secure access to networks and data. BYOD

firms are more likely to go mobile first, and "ask questions later," with regard to

deploying solutions for controlling and managing end-user devices. BYOD firms are

less likely to put up barriers to WLAN network access and far less likely to utilize

mobility identity, application management, and endpoint client security software

agents than IT-controlled firms.

Assessment of End-User Risk

Two questions in the survey measured how enterprise IT views the risk of mobile device

usage among the end-user population. Respondents were asked to show their level of

agreement from 1 to 5 (with 5 being strongly agree) to the following statements:

Increased usage of personal smartphones and tablets by employees at workposes security risks to my organization.

Employees who use their personal smartphones for work purposes understand

the risks and are aware of proper security practices.

While only 25% of BYOD firms strongly agreed that increased usage of PMDs posed

a security threat, only 26.4% of BYOD firms strongly agreed that employees using

PMDs at work understood the risks. This indicates that these firms know there is an

inherent lack of awareness as to the risks of PMD usage, but these firms are probably

not supporting access to many critical applications or data sources for employees'

personal devices. In contrast, 46.7% of IT-controlled firms viewed PMDs as a risk, but

nearly 39% of firms also agreed that employees understood the risks involved (seeFigure 5). This indicates that IT-controlled firms, while restrictive in what devices are

allowed, may be doing a better job around overall in educating their workforces

regarding responsible device usage. BYOD firms appear to have a ways to go in this

respect, again, pointing to a "go mobile first, ask questions later" approach, as

described in the Security Product Choice for Enterprise Mobility section.


11/16

2013 IDC #240598 9

F I G U R E 5

S e c u r i t y R i s k s C a u s e d b y I n c r e a s e d U s a g e o f E m p l o y e e s '

P e r s o n a l S m a r t p h o n e s a n d T a b l e t s

Q. Indicate your level of agreement with the following statements on a scale from 1 to 5, with 1

being "strongly disagree" and 5 being "strongly agree." Increased usage of personal

smartphones and tablets by employees at work poses security risks to my organization.


Awareness of risks regarding mobile devices also increased with the frequency of

mobile usage. Among mobile-oriented firms, 72% of firms agreed or strongly agreed

that their end users were aware of the risks regarding mobile device usage, whereasonly 44% of mobile-averse firms agreed/strongly agreed that their end users were

aware of the risks regarding mobile device usage. As mobile-averse organizations

become more mobile, a greater risk for data loss or breaches or security usage in

general may exist.

Larger organizations, both in terms of user population and number of locations, saw

greater risks regarding the use of PMDs than smaller firms. Among organizations with

more than 100 locations, 40% agreed that the increased use of PMDs poses a

security risk, while 20% of organizations with 1099 locations agreed with this.

However, regarding the number of employees, there was not much a difference

among small, medium-sized, and large enterprises regarding views on PMDs andrisk. A third of small enterprises strongly agreed that the increased use of mobile

devices introduce risk, and that frequency increased only slightly among medium-

sized and large enterprises (34% and 36%, respectively).

Top Mobile Threats Leaky Apps and Data Loss

Enterprises, both BYOD and IT controlled, see a wide range of threats to their mobile

device deployments. Insecure or loosely secured privacy settings on mobile


12/16

10 #240598 2013 IDC

applications (i.e., social network collaboration or contact records applications) was the

most frequently cited threat among all survey respondents. This is a very real issue

for many enterprises as workers begin to integrate personal applications with

business contact lists and professional directories. Some social and productivity

applications have been known to surreptitiously upload users' entire contact lists or

databases of connections from other social media applications onto unknown servers.

Others can reveal potentially sensitive information such as the users' geolocation or

the identification number of the users' devices. These trends worry organizations as

potentially sensitive customer contact information, sales leads, or confidential

information may be leaked by end users without their knowledge.

The issue of insecure or loosely secured privacy settings was the most frequently cited

among BYOD firms, as 69.6% said this was a top threat to their mobile devices in their

organization. Only 53.3% of IT-controlled firms cited this as an issue; however, this

percentage could likely be attributed to the fact that IT-controlled firms disallow such

applications, which could be susceptible to unwanted contact uploading (see Figure 6).

F I G U R E 6

T o p M o b i l e S e c u r i t y T h r e a t s

Q. What are the top security threats to mobile devices (whether personal or

employee owned)?



13/16


14/16

12 #240598 2013 IDC

F I G U R E 7

I n f o r m a t i o n S e c u r i t y R i s k f o r O r g a n i z a t i o n s f r o m

N o n c o r p o r a t e M o b i l e A p p l i c a t i o n s

Q. What types of noncorporate mobile applications pose the greatest risk to information

security in your organization?


Remote PC access tools such as GoToMyPC or VNC for mobile devices are

actually viewed as more of a threat among BYOD firms (55%) versus IT-controlled firms

(44%); however, this stands to reason as IT-controlled firms are more likely to lock

down mobile devices and PCs from noncorporate remote access tools. However, it also

indicates that a trend exists in more open environments, where employees are using

personal smartphones as a way to access PCs and other machines behind their

corporate firewall. (Relative to this, BYOD firms also cited greater frequencies of

breaches in which unauthorized users access corporate applications from an

employee's mobile device than IT-controlled firms, or among all enterprises in general.)


15/16

2013 IDC #240598 13

F U T U R E O U T L O O K

From the data, we see a pattern that many enterprises are "backing into" securing

their mobile workforces with products designed for general-purpose IT security

(security gateways, NAC) or even network infrastructure in general (i.e., WLAN). This

speaks to the nature of mobility in the majority of enterprises BYOD or a mix of IT-

controlled and employee-owned mobile devices, which can access corporate dataand applications. Organizations that do mobility "for a living" (i.e., organizations that

have highly mobile workforces, which are relied upon to drive revenue and

productivity) are more likely to be IT controlled from a mobile device standpoint and

are also more likely to use mobile-specific security and management technologies,

such as mobile endpoint security agents.

The security approach enterprises will have to take with mobile employees, especially

the majority of BYOD-focused firms, will be more lateral than head-on; existing

technologies and infrastructures will have to be expanded and features added to

accommodate the BYOD trend in the enterprise.

E S S E N T I A L G U I D A N C E

Vendors of security products targeting mobile enterprises must have a clear

understanding of the mobility profile of their target customers and tailor the feature

sets, go-to-market strategy, and integration efforts around these solutions to match

customer needs. One-size-fits-all approaches will fall short of enterprises'

expectations and require customers to piece together solutions that work for their

mobile security needs. This is especially true for security product vendors with

mobile-targeted offerings, such as MDM/MAM or containerization platforms.

Service providers and MSPs must increase awareness of their mobile security

offerings among enterprises while differentiating and emphasizing the benefits ofservices on top of product-based solutions. From the data, organizations do not see

services as a primary protection technology for their mobile workforces; however,

among organizations that have been breached or have high concerns about mobile

data and device loss/compromise, mobile security services particularly those from

wireless carrier are seen as a strategic backup solution for augmenting mobile

security infrastructure. Security SaaS solutions providers with mobile-focused

products must also emphasize advantages of a non-hardware/software and, in

particular, an agentless approach to mobile security, particularly among BYOD-

focused enterprises, which are the majority of customers.

L E A R N M O R E

R e l a t e d R e s e a r c h

Worldwide Mobile Enterprise Security Software 20132017 Forecast and

Analysis (IDC #240014, March 2013)

Worldwide Security 2013 Top 10 Predictions (IDC #239424, February 2013)


16/16

14 #240598 2013 IDC

Worldwide IT Security Products 20122016 Forecast and 2011 Vendor Shares:

Comprehensive Security Product Review(IDC #237934, November 2012)

S y n o p s i s

This IDC study discusses the findings from the U.S. Mobile Security Surveyregarding

threats posed by mobile devices and apps among BYOD and IT-controlled firms.

"Mobile devices and apps pose a great security risk in the eyes of most enterprise IT

security professionals," says Phil Hochmuth, program manager for IDC's Security

Products Research group. "At the same time, there is a general acceptance, or a

sense of inevitability, among IT professionals that mobile devices are here to stay

and that ultimately, end users will come to understand the risks involved with mixing

personal devices with corporate application and data resources."

C o p y r i g h t N o t i c e

This IDC research document was published as part of an IDC continuous intelligence

service, providing written research, analyst interactions, telebriefings, and

conferences. Visit www.idc.com to learn more about IDC subscription and consulting

services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please

contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or

[email protected] for information on applying the price of this document toward the

purchase of an IDC service or for information on additional copies or Web rights.

Copyright 2013 IDC. Reproduction is forbidden unless authorized. All rights reserved.

Documents

US Mobile Security Survey