Date post: | 20-Jan-2015 |
Category: |
Technology |
Upload: | datafield-mobile-forms-and-mobile-surveys |
View: | 471 times |
Download: | 1 times |
Secure data access in a mobile universeA report from the Economist Intelligence Unit
Sponsored by
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20121
Preface 2
Executive summary 3
Introduction 5
Modern mobility: where are we now? 6
Loss, theft and bad habits: what are fi rms doing to meet the challenges? 8
Ever-more data on the go: the emerging trends 11
How can companies ensure effective mobile policies? 13
Conclusion 15
Appendix: survey results 16
Contents
1
2
3
4
5
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20122
Preface
An ever-growing use of consumer communication devices in the workplace and a need to maximise the productivity of executives and workers on the move are requiring businesses to respond. Secure data access in a mobile universe explores how companies can accommodate rising demands for mobile access to business information while minimising the security risks to proprietary data. As the basis for the research, the Economist Intelligence Unit in June 2012 conducted a global survey of 578 senior executives. The survey explores how organisations are—or should be—responding to current and emerging challenges stemming from an unstoppable trend towards “bring your own device” (BYOD), as well as rising worker mobility more generally. We also undertook a series of in-depth interviews. The fi ndings and views expressed in this report do not necessarily refl ect the views of the sponsor. The author was Lynn Greiner. Michael Singer and Justine Thody edited the report and Mike Kenny was responsible for the layout. We would like to thank all of the executives who participated in the survey and interviews, including those who provided insight but did not wish to be identifi ed, for their valuable time and guidance.
Interviewees
Lucy Burrow, director of IT governance, King’s College London
Mike Cordy, global chief technology offi cer, OnX Enterprise Solutions
Steve Ellis, executive vice-president, Wells Fargo
Jay Leek, chief information security offi cer, Blackstone Group
Arturo Medina, information technology director, Ipsos Mexico
Bill Murphy, chief technology offi cer, Blackstone Group
Al Raymond, vice-president, Aramark
Ashwani Tikoo, chief information offi cer, CSC India
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20123
In the late 1990s portable laptops and mobile devices emerged that allowed executives to be productive while away from their offi ces. Devices like the IBM ThinkPad and RIM BlackBerry ushered in an era of multifunction mobile equipment that proved irresistible for the C-suite. Today, the world’s mobile worker population has expanded far beyond corner offi ces and is expected to reach 1.3bn people, or nearly 38% of the total workforce, by 2015, according to IDC, a technology research fi rm. By some estimates, as many as 76% of companies currently support a “bring your own device” (BYOD) policy, suddenly thrusting them into the position of securing access to data on devices they might not own. Most of those fi rms say they allow employees to use personal devices to make more effective decisions, avoid missed
opportunities and work more effectively with their partners and customers—the same reasons driving companies to enable mobile data access on fi rm-owned devices.
In June 2012 the Economist Intelligence Unit conducted a global survey, sponsored by Cisco, of 578 senior executives to explore their perspectives on securing data on mobile devices. The principal research fi ndings are as follows:
l Most executives are uneasy about their company’s mobile data-access policies. Although 42% of respondents said the C-suite needs secure and timely access to strategic planning data to be most productive, only 28% believe it is appropriate to make this data accessible to it on mobile devices. Nearly half of
Executive summary
The survey questioned 578 senior executives worldwide. The respondents were based primarily in North America (29%), Western Europe (25%) and the Asia-Pacific region (27%), with the rest from the Middle East and Africa, Latin America and Eastern Europe. Of the total number of respondents, 23% were from the US, 10% from India, 7% from Canada and 6% from the UK. In terms of seniority, 27% were at the CEO level, 17% at the senior vice-president level and 15% at the manager level.
With respect to organisation size, 55% were from companies with revenue of US$500m or more annually, with 22% of those with revenue of US$10bn or more. Respondents represented a wide variety of industries, in particular IT and technology (13%), financial services (11%), professional services (11%) and energy and natural resources (9%). Functionally, respondents identified their primary roles as general management, business development, finance and sales and marketing.
Who took the survey?
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20124
respondents (49%) say the complexity of securing multiple data sources and a lack of knowledge about mobile-access security and risk (48%) are top challenges for their companies.
l Larger companies are most willing to allow mobile access to critical data, but also impose stricter rules. More than 90% of companies with revenue over US$1bn allow access to data via either personal or company-owned devices. However, more than half of organisations with over US$5bn in revenue allow access only on company devices, while a third also permit access on personal devices. By contrast, only 37% of companies with revenue under US$500m insist on company-owned devices, while 47% permit access on personal devices as well. Mobile users within larger fi rms, however, must stay within the lines of approved devices requiring multiple policy signoffs.
l Mobile policies must not neglect social networking. While 56% of survey respondents have policies covering acceptable use of social networks via mobile devices, 33% of executives
surveyed are restricted from discussing their work on social media platforms. Close attention to policies around social networking can enable effective interaction while still protecting corporate data assets and avoiding liability.
l Available infrastructure is the key infl uence on company policies around mobile access. While 44% of respondents say pressure from executives is one of the most important infl uences on policy, that number is dwarfed by the 60% who cite IT infrastructure requirements. This indicates an opportunity exists for companies offering services to secure and manage mobile access.
Is the mobile data access trend unstoppable? The short answer is yes; more sophisticated devices that offer a better user experience only serve to accelerate the trend. This means policies are mandatory, not optional. Getting employees involved in shaping those policies certainly increases the likelihood of compliance, according to executives interviewed for this research.
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20125
Adopting the right policies around mobile data access is becoming an increasing concern for many companies. Senior employees, as much as younger recruits, are demanding access to corporate data anywhere, anytime, on mobile as well as fi xed devices. And many companies are realising that supporting mobile-device policies can pay dividends in the form of increased engagement and productivity—including a greater willingness to be responsive outside of working hours. BYOD-friendly workplaces are also more likely to attract tech-savvy workers, which usually helps spur innovation.
As devices proliferate and lines between consumer and corporate IT continue to blur, the challenges companies face in adapting to this
cultural shift will grow. Expanding the scope of business data access presents obvious business risks, as well as technological challenges. Portable devices can be lost or stolen. People may share their devices with friends or relatives, increasing the risk of leakage of confi dential data. Often these data are accessed from software applications not sanctioned by the company. But it is increasingly futile for IT departments to try to control the devices people bring to work, or to control how people use devices outside the offi ce. They must respond to the increased vulnerability of corporate data networks by enforcing effective safeguards, both to protect business-critical data and to comply with regulatory environments in every region in which the company operates.
Introduction
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20126
Modern mobility: where are we now?1Nearly one billion smart connected devices were shipped worldwide in 2011, a number expected to double by 2016, according to IDC, a technology research fi rm. These devices include PC-based products such as laptops and netbooks, mobile phones and tablets. The Economist Intelligence Unit survey showed that many people use multiple devices, most often a combination of laptop and smartphone, although tablets are increasing in penetration. Worldwide tablet shipments in the second quarter of 2012 grew by 33.6% over the fi rst quarter and 66.2% over the same quarter in 2011, according to IDC’s estimates. We expect to see signifi cant growth in the use of tablets after the release of the next generation of software operating systems. Added collaboration and communication features on newer tablets will attract executives with a wider range of data-access options than smartphones.
Supporting executives on the road with information fed to their mobile devices allows them
to make quick, informed decisions, especially at critical times, such as business negotiations, notes Ashwani Tikoo, chief technology offi cer of CSC India, an IT services provider. In the second-largest operations centre for CSC global, Mr Tikoo is responsible for security policies that protect business data on mobile devices. Instant availability of data allows sales people to make the right decisions on the spot, rather than making the customer wait, he says. To prevent data loss, CSC’s security policies require data encryption on all mobile devices, including personal devices covered under a BYOD policy.
Preventing the data from being stored on a mobile device is another strategy. Al Raymond, vice-president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the
QExecutives may not discuss any facet of their work on social networks, but are permitted personal use
Only authorised spokespersons are permitted to access social networks on corporate devices
Executives have unrestricted access to social networks
Executives may not access social networks on corporate devices
Other
Executive mobile social policiesWhat policies does your organisation face around social network use on corporate devices? (% respondents)
Source: Economist Intelligence Unit survey, June 2012.
33
26
19
18
5
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20127
device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.
Similar challenges exist around social networking on mobile devices outside of the offi ce, although company policies often restrict executive participation. Thirty-three percent of executives responding to the EIU survey said that they were not allowed to discuss any facet of their work on social networks, and another quarter said that only authorised spokespersons were permitted to even access social networks on corporate devices. Executive use of social networking will continue to be restricted, either by policy or unwritten agreement, to protect corporate information and limit liability, our research found.
Of course, different job seniorities require access to different types of data and our survey yielded few surprises here. Among C-level
executives, fi nancial information (60%) and strategic planning (42%) were signifi cant productivity drivers. Managers look for operational data (44%) and sales-and-marketing data (43%), while lower-ranked staffers most need access to customer (42%) and operational data (42%). Making effective decisions (52%) and avoiding missed opportunities (42%) are the top reasons that senior executives seek mobile access to critical business data, according to our survey. Liaison with third parties—such as suppliers—comes particularly high on the list for smaller companies; 42% of respondents at fi rms with revenue under US$500m put this in their top three, compared with 37% of all fi rms. This need to stay connected helped transform email into a must-have application on mobile devices and remains the primary tool used by executives in our study to access business data remotely (81%).
In regions like Latin America in which face-to-face contact is preferable for market research, smartphones and tablets are replacing pencil and paper as the survey tools of choice. Ipsos, a global market research firm, embraced this shift toward using mobile devices in its operations in Mexico and elsewhere. The company currently operates in 84 countries and has 16,000 full-time employees. Its research spans multiple methodologies from online to in-person, resulting in more than 70 million interviews per year worldwide.
Ipsos currently provides company-owned handhelds to its interviewers, but it is working on a new approach, says Arturo Medina, IT director at Ipsos Mexico. “Since the cost of custom mobile devices are quite expensive, we are adopting a hybrid model of ‘bring your own device’ policies,” he says.
In the hybrid model under development, interviewers are offered a choice of one of three smartphone models that Ipsos knows can run its interviewing software. Employees pay for their own device through incremental payroll deductions. Under normal circumstances, Mr Medina says workers will own the device outright in 2-3 weeks.
Ipsos provides a VPN connection to its company data, while the employee pays for all other smartphone functions. Ipsos manages the devices so it can remotely expunge business information if necessary. The data accessed on the smartphone are encrypted, preventing some losses. Interviewers must also adhere to corporate usage policies. The interviewers have the fl exibility to use one device everywhere, notes Mr Medina, yet the company has suffi cient control to protect its data assets.
CASE STUDY Ipsos, a hybrid approach
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20128
Implementing systems to secure company data accessed across an array of different platforms costs money. So it is not surprising that only survey respondents from the largest companies feel confi dent about their fi rms’ data-security arrangements. While 45% of respondents from fi rms with annual revenue of US$10bn or more say that their fi rm has state-of-the-art data security measures in place, this falls to just 10% for respondents from smaller companies (US$500m). Moreover, even among fi rms with revenues between US$500m and US$5bn, as many as a third describe their companies policies as inadequate or completely inadequate.
Overall, our executive respondents accept the need for investment, with 69% rating security service investment a priority. But our research indicates that more needs to be done to educate executives about security risks. Some companies that believe they have strong security nevertheless allow risky practices. For example, among those executives who said their fi rms have industry-leading security practices (20%), 13% said there are no restrictions on their social-networking activities. This practice, of course, carries risk of accidental exposure of confi dential company information. Our research found that setting social-networking policies can both enable effective interaction and help protect corporate data assets and avoid liability.
With fewer resources than their larger counterparts, smaller companies face stiffer challenges in securing mobile data. Nearly 40% of
respondents from companies with annual revenue of US$500m or less described their company’s mobile data security policies as inadequate or completely inadequate. As with larger organisations, smaller companies with enforced, written policies can go a long way towards securing corporate data at relatively low cost. Devices sold in the last few years have built-in encryption that need only be activated. However, additional management tools are often needed to automate security processes, forcing smaller fi rms to balance purchasing protective technologies with lower-cost approaches like holding employees to security policies.
As the power of even the smallest mobile devices continues to increase, so does the risk of losing data for the most low-tech of reasons. Kensington, a US computer peripheral manufacturer, says more than 70m smartphones are lost annually, with only 7% recovered. Laptops are not immune either, with Kensington’s research showing that 10% will be lost or stolen over the life of the PC. Three-quarters of the losses occur during transit or while the employee is working at a remote location. A large percentage of those lost machines contain some type of business data.
The average cost of a corporate data breach incident reached US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That is more than double the average cost in 2005. Mr Raymond of Aramark thinks that these fi gures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and
Loss, theft and bad habits: what are fi rms doing to meet the challenges?2
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 20129
a few major ones that may reach US$25m–500m. Of particular concern to companies looking to
prevent data breaches caused by employees, many mobile data losses are a direct result of user carelessness. Ponemon’s 2011 Cost of Data Breach Study found that anywhere from 30% to 40% of breaches were caused by negligence, followed by those due to malicious attacks (43%). The study found 50% of breaches from Italian companies were generated by the loss or theft of a mobile device. Only Germany (42%), France (43%) and
Australia (36%) experienced more breaches caused by malicious attacks than those caused by negligence. India was the only country in which system glitches surpassed negligence and malice as causes of breaches.
Some notable mobile data losses illustrate how easily a breach can occur. The Cancer Care Group, an Indianapolis cancer clinic, lost the personal data of more than 55,000 patients as well as those of its employees in July 2012 when an employee’s laptop containing server backup fi les was stolen
Since the “bring your own device” model is comparatively new, there are few tried-and-tested industry standards for BYOD policies. Typically, if an employee leaves the company, voluntarily or otherwise, company data must be quickly removed, preferably without interfering with the employee’s personal information. Acceptable use policies for BYOD usually include a clause permitting this. Companies can also protect themselves legally by modifying their existing mobile policies, recommends a June 2012 National Law Review brief. Policies that centre on harassment, discrimination and equal-employment opportunities policies, confidentiality and trade-secret-protection policies, and compliance and ethics policies may all be updated to protect companies against worker abuse of mobile policies.
As a safeguard against risky executive practices, many companies install software on the employee’s device to lock down its software, encrypt data and perform other administrative functions, such as updating calendars or applying security updates. Intrusive though this may sound for the employee, most mobile-device policies require some type of remote administrative access controls. Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifi cally for business. Proper confi guration and good usage practices must be monitored and enforced centrally, Aramark’s Mr Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.
Mr Raymond says his company takes an alternative approach to device-centric mobile-security administration. Workers use the mobile device purely as a viewer, leaving company data
on corporate servers that can be accessed securely and do the heavy computing, and not on the device itself. Methods of doing this, which include using virtual desktop technology and accessing data through web-based services like Salesforce.com, are becoming more widespread because mobile access to secure networks enables company-controlled encryption, authentication and management.
Arturo Medina at Ipsos, which imposes similar network-based controls, recommends a constant dialogue with employees to ensure compliance and prevent unauthorised downloads of corporate data. “Make clear the boundaries of sensitive information and user information, as well as what gets backed up as corporate info and what is considered personal information,” Mr Medina advises.
Getting a grip on BYOD
Q
Specifying approved devices
Requiring sign off on acceptable use policy
Monitoring applications on devices
Requiring defined security software on personal devices
Requiring a secure virtual environment on personal devices
Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device)
Restricting mobile data access to specific apps
No restrictions, executives have free access to whatever data is available
BYOD policiesHow has your organisation implemented BYOD for access to critical data? Select all that apply. (% respondents)
Source: Economist Intelligence Unit survey, June 2012.
25
32
14
31
25
21
18
20
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201210
from a locked vehicle. The data were not encrypted, contrary to best practices. The MD Anderson Cancer Center, a Texas medical clinic, suffered two breaches between June and July 2012. While one incident was caused by an unencrypted portable USB key lost on a bus, another took place when a laptop, also unencrypted, was stolen from a faculty member’s home. Information on over 30,000 patients was compromised in the two breaches. After the second breach, the facility began a project to encrypt all of its data.
Companies can prevent many data breaches by
adding password protection to mobile devices, be they laptops, smartphones or portable data storage devices, and by full encryption of the disk or USB key.
These devices should also be secured physically. For instance, they should not be left in unattended vehicles, even locked ones. Mobile phones and some PCs (those equipped with Intel’s VPro technology) can be remotely disabled and wiped clean of data if they go missing; the more sensitive the data they hold, the more critical it is that such a mechanism is put in place, since encryption can be broken.
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201211
Almost 90% of organisations worldwide allow mobile access to critical data, according to the International Telecommunication Union (ITU), a UN agency. Of those organisations identifi ed in the EIU survey that do not have formal BYOD policies, 25% say they plan to implement a programme in the next 12-18 months. They note that this type of programme makes for more motivated employees, an observation upheld by independent research. According to research conducted in August 2012 by iPass, a US mobile software company, many employees work up to 20 additional unpaid hours per week when they’re always connected. Almost 90% of iPass respondents said that wireless connectivity is as important a component of their lives as running water and electricity.
Though more employees are working outside of the offi ce, establishing a mobile-access programme including BYOD is not an option for some fi rms. Highly regulated banking and fi nance companies have strict policies that prohibit letting executives access company data from their own
devices. Steve Ellis, executive vice-president of Wells Fargo, notes that his company is approaching BYOD with caution and is currently evaluating options. A formal plan may be another year away, Ellis says. Other companies with no formal BYOD policy report seeing personal devices slip in under the radar. Before the introduction of Aramark’s formal mobile policy ten months ago, people had no defi ned rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and confi gurations, the company knows precisely who has access and to which data. “It is no longer a wink and a nod,” Mr Raymond says. The higher the visibility of your program, the more likely it will be adhered to.
Policies aside, the nature of devices has changed as well. Currently, just over a quarter (27%) of critical data access is occurring by means of smartphones, according to our survey. Respondents expect this to rise to over a third
Ever-more data on the go: the emerging trends3
Q
Source: Economist Intelligence Unit survey, June 2012.
Smart phone
Tablet
Laptop
Executive access devicesWhat devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents)
85
41
85
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201212
(35%) in the next 12-18 months, with another 30% of critical data accessed by means of other mobile devices, up from a fi fth currently. With the advent of newer software and the associated devices, tablets are poised to become a more widely used mobile window to corporate data for executives, perhaps even supplanting smartphones one day, according to an article in The Economist (October 2011). Their larger screen size expands the range of data that can be effectively viewed, and, supplemented by external keyboards, they enable
easier interaction with apps. Interestingly, although 42% of respondents said
the C-suite needs secure and timely access to strategic planning data to be most productive, only 28% believe it is appropriate to make this data accessible to it on mobile devices. The main challenge, unsurprisingly, is concern about potential security and other risks. Nevertheless, only 11% of respondents to our survey say their organisation does not provide access to critical data outside the offi ce.
The US Equal Employment Opportunity Commission (EEOC) FY 2012 budget was slashed by nearly 15%, from US$17.6m to US$15m. Needing to reduce operating costs, Chief Information Officer Kimberly Hancher reduced the agency’s mobile device budget by half. To help fill the gap, the agency launched a mobile BYOD pilot project. The project focused on providing employees with access to agency email, calendars, contacts and tasks. A few senior executives were provided “privileged” access to the agency’s internal systems as part of the project.
In the initial testing phase, 40 volunteers turned in their government-issued BlackBerry devices and instead used their personal smartphones. Information security staff, legal staff and the employees’ union generated rules that balanced employee privacy (social media policies, monitoring policies) with government security, such as the US National Institute of Standards and Technology (NIST) regulation SP 800-53 (also known as “Recommended Security Controls for Federal Information Systems and Organisations”). The second phase of the programme launched in June 2012. The EEOC worked with its contractors
to confi gure agency email access for employees participating in the secondary testing. The agency’s remaining 468 employees using EEOC-issued BlackBerry devices were offered three choices:
1. Voluntarily return the BlackBerry and bring a personal Android, Apple or BlackBerry smartphone or tablet to work.
2. Return the BlackBerry and get a government-issued cell phone with voice features only.
3. Keep the BlackBerry with the understanding that the EEOC does not have replacement devices.
EEOC managers report positive results from the pilot so far. Employees pay for their own voice and data usage and the agency covers the licenses for the management software. The EEOC’s Mr Hancher noted that, for some employees, the cost may be an issue and there is an outstanding question of whether the agency will be able to provide some sort of reimbursement for part of the data and voice services. Mr Hancher notes that success was achieved by involving employees, the union and legal departments early in the process.
CASE STUDY US EEOC launches mobility pilot
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201213
Survey respondents clearly recognise the advantages of enabling mobile data access and are aware of the necessary investments. Some of the measures that companies need to adopt to secure corporate data accessed by mobile devices can be put in place remotely. IT managers can currently add security features to laptops, smartphones and tablets, often using existing management tools. They can also separate company data from personal data as well as duplicate and store business data on corporate networks. Virtual desktops provide secure mobile access to data on personal laptops. These safeguards allow mobile
workers to recoup data on a lost or damaged device with little effort. These measures will allow more executives in the future to access corporate data securely from any computer, according to our executive interviewees.
For the travelling C-level executive, less time spent updating security protocols means more time for getting work done. In the future data security will be strengthened with the help of technologies built directly into applications that protect the data itself, making interception and misuse more diffi cult, CSC’s Mr Tikoo said. “Applications should be able to recognize that I am working on an iPad
How can companies ensure effective mobile policies?4
Q
Source: Economist Intelligence Unit survey, June 2012.
Today In the future
Mobile empowermentIn what ways is your company empowering access to critical data today and how might that change in the future? Select one answer in each column for each row.(% respondents)
Providing access to multiple types of data
Providing secure mobile environments to allow access to critical data
Enhancing secure access to data (eg, mobile device generated security tokens)
Training executives to usemobile data more effectively
Enabling customised mobile views of data
Providing mobile apps to accesscritical data on multiple platforms
Providing secure cloud-basedenvironments for mobile use
Designing intuitive mobile user interfaces
Incorporating new communication/data access methods (eg, QR codes, NFC)
60 47
45 43
41 45
36 42
24 58
20 52
20 57
15 48
14 47
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201214
or a little 5-inch screen and render the data to me appropriately.”
Mr Raymond says that although his business doesn’t require it, separate environments for business and personal use are important. But if the policies surrounding them, or any other security measures, are not enforced, there will be consequences. He says he is always surprised when speaking with his peers at how much of security in large organisations is just “smoke and mirrors”. The words are there, the enforcement is not.
Ipsos, a global research company, requires every employee to complete a security-awareness training course delivered over its corporate intranet—a cost-effective way to reach its staffers in 84 countries. While its programme was internally developed, commercially available security-awareness products that can be customised for local needs are readily available from organisations such as the US National Security Institute (NSI). Employees are also required to sign a mobile
acceptable use policy that covers everything from the type of data they may access from a mobile device to rules concerning password strength.
Other security safeguards require reliable action on the part of users. While mobile devices should have passwords, Coalfi re, an audit and compliance fi rm, estimates only half of personal devices currently do. Employees in a BYOD programme must agree that if their personal devices are lost or stolen, the IT department’s responsibility includes remotely wiping out information on personal devices to protect company data.
There is clearly some way to go in most organisations to educate staff on the security issues raised by mobile access of company data. The survey indicated that executives outside Europe and North America are more likely to resist data-security policies on personal devices. Yet, in an increasingly interconnected business world, security gaps in one region can affect compliant companies (and their customers) elsewhere.
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201215
Not only will mobile data access expand, the trend is unstoppable. Unmanaged and unsecured devices have already crept into the business environment, putting company data at risk and opening the door to attacks through compromised devices. Almost one-third of respondents in our survey report inadequate mobile device policies at their companies. Establishing sensible, workable policies is a fi rst step to achieving a viable mobile data access programme.
Executives classifying their device policies as industry-leading indicate they use data on-the-go to make more effective and collaborative decisions, avoid missed opportunities and work more effectively with partners and customers. To ensure that this access won’t compromise business data, executives may want to prioritise programmes that mitigate risk and support investments in data and security services.
Connected devices are becoming increasingly
integral to global business. The type of device in use is evolving, with tablets being the up-and-coming device of choice. We can expect to see signifi cant growth in the use of tablets after the release of the next generation of software operating systems, which will give tablets a wider range of data-access options than smartphones. This will be a mixed blessing, analysts believe, as tablets will be supplemental devices to existing systems, not replacements.
Securing critical data in the future may mean creating even more stringent access requirements. The shift towards tablets for business outside the offi ce, for example, will open up a whole new set of challenges because it will encourage executives to seek mobile access to a wider range of data. It will require many companies to take a fresh look at the whole issue, from devices and their weaknesses through available infrastructure to the users themselves.
Conclusion5
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201216
Appendix:survey results
Percentages may not add to 100% owing to rounding or the ability of respondents to choose multiple responses.
Industry leading (my organisation has a written, formal, enforced policy for the management and use of mobile devices)
Adequate (my organisation has informal guidelines that are monitored and enforcement action taken when necessary)
Inadequate (my organisation has informal or formal guidelines that are neither monitored not enforced)
Completely inadequate (my organisation has no formal or informal policy for the use and management of mobile devices)
Don’t know
Based on your observations, how does your organisation’s mobile device policy compare to those of its competitors within your industry?(% respondents)
20
47
19
11
3
Making more effective decisions
Avoiding missed opportunities
Working more effectively with third parties (suppliers, partners, customers, etc)
Empowering executives
Keeping up with competitive pressures
Maximising more business functions
Satisfying internal demand
Controlling costs
Other
We have no need for mobile data access
What leading business factors are driving the need for access to critical data from mobile devices? Select up to three.(% respondents)
52
42
37
37
31
27
21
16
3
1
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201217
Yes, on company-owned devices only
Yes, on either company or personally-owned devices
No
I don’t know
Does your organisation allow access to critical data outside the office? (% respondents)
43
46
11
1
Smartphone
Tablet
Laptop
Pager
Other
We do not provide company-owned devices to executives
What devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents)
85
41
85
2
1
3
Yes
No
I don't know
Does your organisation allow executives to bring their own devices (BYOD) and use them instead of company-owned devices to access critical data? (% respondents)
49
49
3
Specifying approved devices
Requiring sign off on acceptable use policy
Monitoring applications on devices
Requiring defined security software on personal devices
Requiring a secure virtual environment on personal devices
Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device)
Restricting mobile data access to specific apps
No restrictions, executives have free access to whatever data is available
How has your organisation implemented BYOD for access to critical data? Select all that apply. (% respondents)
25
32
14
31
25
21
18
20
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201218
Yes
No
I don't know
Does your organisation plan to implement BYOD for access to critical data? (% respondents)
20
55
25
Corporate security or risk concerns
Corporate IT concerns over difficulty managing personal devices
Corporate IT resistance to supporting executives’ personal devices
Executive resistance to policy restrictions on personal devices
Cost of required device management infrastructure
Other
Allocation or management of charges on executive devices
What do you perceive is the biggest obstacle to implementing BYOD for access to critical data? (% respondents)
50
14
14
9
6
4
4
Multiple data sources, each requiring distinct security measures
Lack of knowledge about security/risk of mobile access
Lack of resources to manage/secure data access
Classifying data to determine risk profile for each source
Lack of apps for all required platforms (eg, there may be an iPhone app, but not one for Android)
Data unsuitable for remote access
Executive resistance to security measures
Lack of resources to develop needed apps/access methods
Legacy systems are prohibitive
Lack of mobile access for some locations
Other
We do not face this challenge
In your opinion, what are the greatest challenges your company faces in securing access to critical data over mobile devices, whether owned by the firm or the executive? Select up to four. (% respondents)
49
48
34
34
25
23
22
21
16
12
1
5
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201219
Availability of data
Departmental or organisational standards
Availability of mobile data access apps
Type of access method (on site vs remote)
Speed at which up-to-date information is required
Cost
Screen size of the device accessing the data
Regulatory compliance
User preferences
Other
Besides your job title, what determines which data are/will be made available to mobile devices? Select up to three. (% respondents)
40
32
31
30
29
23
21
20
19
3
Departmental or organisational standards
Availability of data
Type of access method (on site vs remote)
Cost
Regulatory compliance
Availability of mobile data access apps
Speed at which up-to-date information is required
User preferences
Screen size of the device accessing the data
Other
What determines which users are/will be permitted to access critical data on mobile devices? Select up to three. (% respondents)
54
28
25
24
23
21
20
19
9
3
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201220
IT infrastructure requirements to accommodate mobile access
Pressure from executives needing anywhere/anytime access to data
Legal/regulatory requirements around data management
Pressure from security/risk management
Competitive pressure, wanting to be perceived as up-to-date by customers and competitors
Pressure from senior management who wish to use personal devices
Cost
Other
What are the most important influences on company policies and approaches towards creating a mobile device and application strategy? Select up to three. (% respondents)
60
44
40
39
31
23
19
1
Financial information
Strategic planning
Competitive intelligence
Operational data
Sales and marketing
Customer information
Human resources
News or social network feeds
Other
Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —C-level executivesSelect up to three for each role. (% respondents)
74
60
42
35
24
18
10
8
6
1
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201221
Operational data
Sales and marketing
Customer information
Financial information
Competitive intelligence
Human resources
Strategic planning
News or social network feeds
Other
Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —Business managersSelect up to three for each role. (% respondents)
75
44
43
30
26
23
15
13
8
1
Operational data
Customer information
News or social network feeds
Sales and marketing
Human resources
Competitive intelligence
Financial information
Strategic planning
Other
Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —EmployeesSelect up to three for each role. (% respondents)
80
42
42
23
20
17
7
7
4
1
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201222
Financial information
Strategic planning
Competitive intelligence
Operational data
Sales and marketing
News or social network feeds
Customer information
Human resources
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices? —C-level executivesSelect up to three for each role. (% respondents)
81
45
28
28
22
19
15
11
8
1
Operational data
Sales and marketing
Customer information
Competitive intelligence
Financial information
News or social network feeds
Human resources
Strategic planning
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices? —Business managersSelect up to three for each role. (% respondents)
81
38
37
25
19
19
17
14
9
1
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201223
Operational data
News or social network feeds
Customer information
Sales and marketing
Human resources
Financial information
Competitive intelligence
Strategic planning
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices?—EmployeesSelect up to three for each role. (% respondents)
82
35
33
33
18
12
5
5
3
1
Financial information
News or social network feeds
Competitive intelligence
Operational data
Strategic planning
Sales and marketing
Customer information
Human resources
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —C-level executivesSelect up to three for each role. (% respondents)
60
27
25
23
21
21
19
14
7
2
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201224
Sales and marketing
Operational data
News or social network feeds
Customer information
Competitive intelligence
Financial information
Human resources
Strategic planning
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —Business managersSelect up to three for each role. (% respondents)
59
33
29
26
22
16
14
12
6
2
News or social network feeds
Operational data
Customer information
Sales and marketing
Human resources
Competitive intelligence
Financial information
Strategic planning
Other
Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —EmployeesSelect up to three for each role. (% respondents)
62
34
28
25
17
10
7
5
3
2
Yes No Don’t know
All international locations
All locations in your region
All departments
All roles
Does your organisation provide mobile access to data for each of the following groups? (% respondents)
54 34 12
67 27 6
56 37 7
35 58 7
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 2012 25
Yes
No
I don’t know
Does your organisation have policies in place for acceptable use of social networks (eg, Facebook, Twitter) on corporate devices? (% respondents)
56
39
5
Executives may not discuss any facet of their work on social networks, but are permitted personal use
Only authorised spokespersons are permitted to access social networks on corporate devices
Executives have unrestricted access to social networks
Executives may not access social networks on corporate devices
Other
What policies does your organisation face around social network use on corporate devices? (% respondents)
33
26
19
18
5
100:0 90:10 80:20 70:30 60:40 50:50 40:60 30:70 20:80 10:90 0:100
Company owned
What is the ratio of time you spend on company-owned vs personal-owned mobile devices for your organisation? Drag the slider button to choose a relevant percentage split that reflects how each option should be weighted (eg, 60% to 40%). (% respondents)
12 23 17 13 6 9 3 3 2 3 9
1 High priority 2 3 4 5 Not a priority
Investing in data services
Investing in mobile services
Investing in security services
What kind of priority does your organisation accord to the following strategies? Rate on a scale of 1 to 5, where 1=High priority and 5=Not a priority. (% respondents)
27 35 25 9 4
16 29 31 15 9
37 32 19 9 3
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201226
What is the proportion of critical data you access over mobile channels today? Total should be 100%
AverageMobile via smart phone 26.9
Mobile on other devices (eg, tablet) 21.7
Non-mobile access 59.8
What will be the proportion of critical data you access over mobile channels in 12-18 months? Total should be 100%
AverageMobile via smart phone 34.5
Mobile on other devices (eg, tablet) 30.2
Non-mobile access 42.8
Providing access to multiple types of data
Providing secure mobile environments to allow access to critical data
Enhancing secure access to data (eg, mobile device generated security tokens)
Training executives to use mobile data more effectively
Enabling customised mobile views of data
Providing mobile apps to access critical data on multiple platforms
Providing secure cloud-based environments for mobile use
Designing intuitive mobile user interfaces
Incorporating new communication/data access methods (eg, QR codes, NFC)
In what ways is your company empowering access to critical data today and how might that change in the future? —Today Select one answer in each column for each row.(% respondents)
60
45
41
36
24
20
20
15
14
Enabling customised mobile views of data
Providing secure cloud-based environments for mobile use
Providing mobile apps to access critical data on multiple platforms
Designing intuitive mobile user interfaces
Providing access to multiple types of data
Enhancing secure access to data (eg, mobile device generated security tokens)
Providing secure mobile environments to allow access to critical data
Training executives to use mobile data more effectively
Incorporating new communication/data access methods (eg, QR codes, NFC)
In what ways is your company empowering access to critical data today and how might that change in the future? —In the FutureSelect one answer in each column for each row.(% respondents)
58
57
52
48
47
45
43
42
47
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201227
Provide wider data support for mobile devices
Identify risks that are not currently apparent
Further improve business process efficiencies
Provide access to data from more data sources
Identify opportunities that are not currently apparent
Improve customer service
Speed up process improvements
Provide access based on user’s role and/or device type
Increase consumer engagement
Drive new revenue streams
Innovate on more diverse and timely feedback
Other
In the next 12–18 months, what does your organisation expect to do with access to critical data that it is not currently able to do? Select all that apply.(% respondents)
47
46
45
44
40
34
33
32
27
23
17
1
Asia-Pacific
Latin America
North America
Eastern Europe
Western Europe
Middle East and Africa
In which region are you personally located?(% respondents)
27
9
29
3
25
6
United States of America
India
Canada
United Kingdom
Germany
Singapore, Australia, Brazil, Mexico
Italy, Hong Kong, Switzerland, China, Nigeria, Spain
France, Belgium, Netherlands, South Africa, Finland, Japan, Malaysia,New Zealand, Portugal, United Arab Emirates, Chile, Sweden, Russia,Bahrain, Bulgaria, Colombia, Czech Republic, Hungary, Israel, Pakistan,Philippines, Poland, Taiwan, Thailand
In which country are you personally located?(% respondents)
23
10
7
6
4
3
2
1
45
9
17
7
22
$500m or less
$500m to $1bn
$1bn to $5bn
$5bn to $10bn
$10bn or more
What are your organisation’s global annual revenues in US dollars?(% respondents)
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 201228
Board member
CEO/President/Managing director
CFO/Treasurer/Comptroller
CIO/CTO/Technology director
Other C-level executive
SVP/VP/Director
Head of Business Unit
Head of Department
Manager
Other
Which of the following best describes your title?(% respondents)
5
27
8
5
8
17
3
8
15
3
IT and technology
Financial services
Professional services
Energy and natural resources
Healthcare, pharmaceuticals and biotechnology
Manufacturing
Consumer goods
Government/Public sector
Telecoms
Chemicals
Entertaining, media and publishing
Transportation, travel and tourism
Retailing
Education
Logistics and distribution
Construction and real estate
Agriculture and agribusiness
Aerospace and defence
Automotive
What is your primary industry?(% respondents)
13
11
11
9
8
8
6
5
4
3
3
3
3
3
3
2
2
2
1
General management
Strategy and business development
Finance
Marketing and sales
IT
Operations and production
Information and research
R&D
Risk/Security
Procurement
Customer service
Human resources
Supply-chain management
Legal
What is your main functional role?(% respondents)
30
17
15
10
7
5
3
3
2
2
2
2
2
1
Secure data access in a mobile universe
© The Economist Intelligence Unit Limited 2012 29
Whilst every effort has been taken to verify the accuracy of this
information, neither The Economist Intelligence Unit Ltd. nor the
sponsor of this report can accept any responsibility or liability
for reliance by any person on this white paper or any of the
information, opinions or conclusions set out in the white paper.
Cove
r: S
hutt
erst
ock
London26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]
New York750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]
Hong Kong6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]
GenevaBoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]