×

Even after implementing mobile device use policies and technology controls, many organizations remain vulnerable to mobile security risks, according to the results of a recent Deloitte poll.

One out of two adults in the U.S. owns a smartphone, and one out of three owns a tablet, according to Deloitte LLP’s “State of the Media Democracy” survey. Many of those mobile device owners want to use their personal smartphones and tablets on the job—to check work email, access corporate systems, and use web-based software.

Yet many enterprises don’t seem completely prepared to address the security and privacy risks mobile devices present, according to the responses of approximately 2,000 professionals surveyed during a recent Deloitte & Touche LLP webcast. One-third believe unauthorized devices connect to their corporate intranets. Slightly more than a third of the webcast participants believe all of the devices that connect to the corporate intranet are authorized, and approximately 32 percent have no handle on the volume of unauthorized devices accessing the corporate network. Unauthorized and unprotected mobile devices may put companies at risk for malware, data loss, and could even allow hackers to intercept unencrypted communications.

To address the risks associated with mobile devices and employees’ productivity needs, some companies—45 percent, according to Deloitte Touche Tohmatsu Limited’s 2013 Global Mobile Consumer Survey—have implemented Bring Your Own Device (BYOD) policies. But even organizations with BYOD policies face challenges securing mobile device data, according to Kieran Norton, a principal with Deloitte & Touche LLP’s Cyber Risk Services practice. For example, users are less likely to report a lost device to IT when it’s their own for fear of losing their personal data, along with any company information, when the device is wiped. As a result, IT may not be able to remotely lock or wipe the device before it falls into the wrong hands. And given that users can typically install applications on their own devices, Norton notes that data leakage problems associated with mobile malware are often felt more acutely in BYOD environments.

Consequently, different models for BYOD policies are evolving. Corporate-driven BYOD policies allow employees to choose among a list of accepted devices and corporate-organized wireless plans. In return for relinquishing some choice and control, employees get a high degree of IT support. The corporate-driven approach contrasts with the user-driven approach, where employees have more choices but less IT support. In a hybrid BYOD model, enterprises establish a list of accepted devices, employees are responsible for selecting the wireless plan, and corporate IT provides support.

In addition to implementing the appropriate BYOD policy and operational program, other tactics Norton suggests for tackling mobile security risks include encrypting local data as well as encrypting sensitive communications “in transit,” using “secure containers” to partition corporate data on employee-owned devices and keep it safe from malware, and virtualization—both application level as well as running two mobile operating systems (one for personal use, the other for business use) in segregated environments on the same device.

For more stats on the state of mobile security, click here or on graphic to enlarge.