Research
Report
Abstract:
The State of Mobile Computing Security
By Jon Oltsik, Senior Principal Analyst and Bill Lundell, Senior Research Analyst
With Jennifer Gahm, Senior Project Manager
February 2014
Introduction
Research Objectives
In order to accurately assess organizations’ mobile computing adoption, strategies, and security, ESG recently surveyed 242 members of IT and security personnel working at enterprise-class (1,000 employees or more)
organizations in North America. All respondents were responsible for mobile computing initiatives, operations, and security.
The survey was designed to answer the following questions:
How important is mobile computing? What’s driving its adoption? Which types of devices are supported and who is responsible for purchasing these devices?
Are there measurable differences around mobile computing security between advanced, progressing, and basic organizations? If so, what are these differences?
Do organizations have mobile computing security policies in place? If so, who creates them? Are they enforced on an enterprise or business-unit basis?
Do organizations create a cross-functional IT group to oversee mobile computing projects? If so, which groups are involved?
Do enterprises have any particular mobile computing security challenges today? What do security professionals see for the future of mobile computing security?
Have organizations adopted MDM technology? If so, how are these systems used today? What are the important features?
Are organizations developing mobile applications? If so, what types of platforms and tools are they using? Are they including secure software development best practices and testing as part of their mobile
computing software development efforts?
What types of network access controls are in place to manage mobile devices? What types of access policies are enforced?
What lessons have organizations learned through their experiences with mobile computing security? What would they recommend to others?
Survey participants represented a wide range of industries including financial services, manufacturing, business services, communications and media, and government. For more details, please see the Research Methodology and
Research Methodology
To gather data for this report, ESG conducted a comprehensive online survey of IT professionals from private- and public-sector organizations in North America (United States and Canada) between May 30, 2013 and June 5, 2013. To qualify for this survey, respondents were required to be IT professionals responsible for or familiar with their organization’s strategy, planning, and use around mobile computing and security. All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.
Respondent Demographics
The data presented in this report is based on a survey of 242 qualified respondents. Figures 45-51 detail the demographics of the respondent base, including individual respondents’ role, purchasing responsibility, familiarity with their organization’s mobile computing strategy, and respondent organizations’ total number of employees, primary industry, and annual revenue.
Respondents by Current Role
Respondents’ current role within their organizations is shown in Figure 1.
Figure 1. Survey Respondents by Role
Source: Enterprise Strategy Group, 2014.
Respondents by Information Security Technology Purchasing Responsibility
Respondents’ purchasing responsibility with regards to information security technologies is shown in Figure 2.
Figure 2. Survey Respondents by Information Security Technology Purchasing Responsibility
Source: Enterprise Strategy Group, 2014.
IT management (e.g., CIO, VP of IT, Director
of IT, etc.), 84% IT staff (e.g., Storage
Administrator, Systems Administrator, etc.),
16%
Which of the following best describes your current role within your organization? (Percent of respondents, N=242) I make/approve purchase decisions, 83% I influence purchase decisions, 17%
Research Report: The State of Mobile Computing Security
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Respondents by Familiarity with Mobile Computing Usage and Strategy
Respondents’ familiarity with their organization’s usage of and strategy for mobile computing is shown in Figure 3.
Figure 3. Survey Respondents by Familiarity with Mobile Computing Usage and Strategy
Source: Enterprise Strategy Group, 2014.
Respondents by Familiarity with Mobile Computing Security
Respondents’ familiarity with their organization’s processes and strategies for mobile computing security is shown in Figure 4.
Figure 4. Survey Respondents by Familiarity with Mobile Computing Security
Source: Enterprise Strategy Group, 2014.
I am very familiar, 75% I am familiar, 25%
How familiar are you with your organization’s usage of and strategy for mobile computing (i.e., applications accessed by mobile devices, business processes utilizing
mobile technologies, mobile device policy, etc.)? (Percent of respondents, N=242)
I am very familiar, 69% I am familiar, 31%
How familiar are you with your organization’s processes and strategies for mobile computing security (i.e., application security, user authentication, device security,
Respondents by Number of Employees
The number of employees in respondents’ organizations is shown in Figure 5.
Figure 5. Survey Respondents by Number of Employees
Source: Enterprise Strategy Group, 2014.
Respondents by Industry
Respondents were asked to identify their organizations’ primary industry. In total, ESG received completed, qualified respondents from individuals in 19 distinct vertical industries, plus an “Other” category. Respondents were then grouped into the broader categories shown in Figure 6.
Figure 6. Survey Respondents by Industry
Source: Enterprise Strategy Group, 2014.
1,000 to 2,499, 17% 2,500 to 4,999, 25% 5,000 to 9,999, 31% 10,000 to 19,999, 15% 20,000 or more, 13%
How many total employees does your organization have worldwide? (Percent of respondents, N=242) Manufacturing, 33% Financial (banking, securities, insurance), 12% Health Care, 10% Retail/Wholesale, 10% Business Services (accounting, consulting, legal, etc.),
6% Communications & Media, 5% Government (Federal/National, State/Province/Local), 2% Other, 23%
Research Report: The State of Mobile Computing Security
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Respondents by Annual Revenue
Respondent organizations’ annual revenue is shown in Figure 7.
Figure 7. Survey Respondents by Annual Revenue
Source: Enterprise Strategy Group, 2014.
5% 8% 12% 21% 25% 17% 10% 2% 0% 5% 10% 15% 20% 25% 30% Less than $100 million $100 million to $499.999 million $500 million to $999.999 million $1 billion to $4.999 billion $5 billion to $9.999 billion $10 billion to $19.999 billion $20 billion or more Not applicable (e.g., public sector, non-profit)
Contents
List of Figures ... 3
List of Tables ... 4
Executive Summary ... 5
Report Conclusions ... 6Introduction ... 8
Research Objectives ... 8Research Findings ... 9
ESG’s Mobile Computing Security Segmentation Model ... 9
The State of Mobile Computing ... 11
Mobile Computing Security Policy Overview ... 19
Mobile Computing Security and the IT Organization ... 25
Mobile Computing Security Challenges and Activities ... 30
Enterprise Use of Mobile Device Management (MDM) Technologies ... 36
Mobile Application Development and Security ... 42
Mobile Computing Security Final Thoughts ... 52
Conclusion ... 54
Research Implications for Information Security Professionals ... 54
Research Implications for Information Security Vendors ... 55
Research Methodology ... 57
Respondent Demographics... 58
Respondents by Current Role ... 58
Respondents by Information Security Technology Purchasing Responsibility ... 58
Respondents by Familiarity with Mobile Computing Usage and Strategy ... 59
Respondents by Familiarity with Mobile Computing Security ... 59
Respondents by Number of Employees ... 60
Respondents by Industry ... 60
Research Report: The State of Mobile Computing Security
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
List of Figures
Figure 1. ESG’s Mobile Computing Security Segmentation Model ... 10
Figure 2. Importance of Mobile Devices to Business Processes and Productivity ... 11
Figure 3. Percentage of Employees Using Mobile Devices Daily for Business Purposes ... 12
Figure 4. Types of Employees Allowed to Use Mobile Devices for Business Purposes ... 13
Figure 5. Total Number of Mobile Devices in Use by Employees for Business Purposes ... 13
Figure 6. Organizations’ Approach Toward Mobile Device Procurement and Support ... 14
Figure 7. Support of Mobile Device Platforms ... 15
Figure 8. Approach for Supporting Android Mobile Devices ... 15
Figure 9. Likelihood of Windows 8 Support Within the Next 24 Months ... 16
Figure 10. Reasons Organizations Allowed Mobile Device Usage for Business Purposes ... 18
Figure 11. Implementation of Formal Mobile Computing Security Policy ... 19
Figure 12. Organizations’ Mobile Computing Security Policy ... 20
Figure 13. Individuals/Groups Responsible for Mobile Computing Security Policy ... 21
Figure 14. Requirements Needed to Connect Mobile Devices to Organization’s Network ... 22
Figure 15. Topics Included in Mobile Computing Security User Awareness Training ... 23
Figure 16. Types of Mobile Device Capabilities Organizations Disallow ... 24
Figure 17. Dedicated Cross-functional Team for Mobile Computing Strategy and Operations ... 25
Figure 18. Individuals/Functional Groups Responsible for Mobile Device Management ... 27
Figure 19. Individuals/Functional Groups Responsible for Mobile Device Security ... 27
Figure 20. Will Mobile Device Management and Mobile Device Security Groups Merge? ... 28
Figure 21. How PC Security Group Works with the Mobile Device Security Group ... 29
Figure 22. Formal Risk/Threat Assessment Requirement to Attain Mobile Access to IT Resources ... 30
Figure 23. Mobile Computing Security Challenges ... 31
Figure 24. Have Organizations Experienced a Security Breach as a Result of Compromised Mobile Device? ... 32
Figure 25. Respondents’ Perspective on the State of Mobile Threats Over the Next 24 Months ... 33
Figure 26. Most Important Mobile Computing Security Processes/Controls ... 34
Figure 27. Use of Device Partitioning Technologies ... 35
Figure 28. Deployment of MDM Technologies ... 36
Figure 29. How MDM Technologies Are Deployed ... 37
Figure 30. Most Important Available Features in MDM Platform(s) ... 38
Figure 31. Actions Taken to Manage Security of Third-Party Applications and Cloud Services on Mobile Devices . 39 Figure 32. Challenges with MDM Platform(s) ... 40
Figure 33. MDM Technology Commodification ... 41
Figure 34. Development of Custom Mobile Applications ... 42
Figure 35. Current/Expected Mobile Application Development Process ... 44
Figure 36. Current/Expected Mobile Application Development Platforms ... 45
Figure 37. Primary Mobile Application Development Platform: Now and 24 Months from Now... 46
Figure 38. Priority Given to Mobile Application Development ... 47
Figure 39. Accountability for Secure Development and Testing Processes for Mobile Applications ... 48
Figure 40. Inclusion of Secure Software Development Best Practices within Mobile Application Development Lifecycle ... 49
Figure 41. Actions Taken to Ensure Security of Mobile Applications ... 50
Figure 42. Use of Containerization APIs for Mobile Application Development ... 51
Figure 43. How Has Mobile Computing Strategy and Implementation Impacted Security? ... 52
Figure 44. Mobile Computing Best Practices ... 53
Figure 45. Survey Respondents by Role ... 58
Figure 46. Survey Respondents by Information Security Technology Purchasing Responsibility ... 58
Figure 47. Survey Respondents by Familiarity with Mobile Computing Usage and Strategy ... 59
Figure 48. Survey Respondents by Familiarity with Mobile Computing Security ... 59
Figure 50. Survey Respondents by Industry ... 60
Figure 51. Survey Respondents by Annual Revenue ... 61
List of Tables
Table 1. Approach for Supporting Android Mobile Devices Analyzed by the ESG Segmentation Model ... 16Table 2. Likelihood of Windows 8 Support Within the Next 24 Months Analyzed by the ESG Segmentation Model ... 17
Table 3. Establishment of a Cross-functional IT Mobile Computing Team Analyzed by the ESG Segmentation Model ... 26
Table 4. Will Mobile Device Management and Mobile Device Security Groups Merge? – Analyzed by the ESG Segmentation Model ... 28
Table 5. Formal Risk/Threat Assessment Requirement to Attain Mobile Access to IT Resources Analyzed by the ESG Segmentation Model ... 30
Table 6. Security Breach as a Result of Compromised Mobile Device Analyzed by the ESG Segmentation Model . 33 Table 7. Use of Device Partitioning Technologies Analyzed by the ESG Segmentation Model ... 35
Table 8. Challenges with MDM Platform(s) Analyzed by the ESG Segmentation Model ... 40
Table 9. MDM Technology Commodification Analyzed by the ESG Segmentation Model ... 41
Table 10. Development of Custom Mobile Applications Analyzed by the ESG Segmentation Model... 43
Table 11. Current/Expected Mobile Application Development Process Analyzed by the ESG Segmentation Model ... 44
Table 12. Current/Expected Mobile Application Development Platforms Analyzed by the ESG Segmentation Model ... 45
Table 13. Priority Given to Mobile Application Development Analyzed by the ESG Segmentation Model ... 47
Table 14. Accountability for Secure Development and Testing Processes for Mobile Applications Analyzed by the ESG Segmentation Model ... 48
Table 15. Use of Containerization APIs for Mobile Application Development Analyzed by the ESG Segmentation Model ... 51
