Report Ponemon Mobility Risks 1202 En

8/2/2019 Report Ponemon Mobility Risks 1202 En

1/27

Global Study on Mobility RisksSurvey of IT & IT Security Practitioners

Sponsored by Websense, Inc.Independently conducted by Ponemon Institute LLC

Publication Date: February 2012

Ponemon Institute

Research Report


2/27

1

Global Study on Mobility RisksSurvey of IT & IT Security Practitioners

Ponemon Institute, February 2012

Part 1: Introduction

Mobile devices are a mixed blessing for employees, and a mixed blessing for organizations, butfor different reasons. Smartphones allow workers much more flexibility in managing theirschedules, but at the cost of always finding themselves at work. Who among us has notanswered work emails from the dinner table, waiting in line at a store, even from the car, andprobably every room of the house?

And organizations reap huge benefits from having near-instant responses even outside of workhours, but they simultaneously open the door to unprecedented loss of sensitive data. As laptops,iPhones, Androids, iPads, and USB drives increase in sophistication, they can do more and more,and they become more and more popular, but they also greatly increase the risk to anorganizations networks, sensitive data, and ultimately, profits and reputation.

And so it is little wonder that quite a few security experts1

have designated smartphones and

other mobile devices as one of the most serious threat vectors for an organization. This ispartially due to the nomadic work life of employees. Sensitive data on mobile devices travelsphysically and electronicallyfrom the office to home and other off-site locations. According to aprevious Ponemon Institute study of 116 organizations, 62 percent of mobile data-bearingdevices that were lost or stolen contained sensitive or confidential information.

2

IT has years of experience locking down desktops and encrypting laptop hard drives. Now thatmobile devices are proliferating as corporate tools, the huge new exposure to data theft and losscannot be ignored. According to a previous Ponemon Institute survey, IT respondents said 63percent of breaches occurred as a result of mobile devices. And only 28 percent said employeedesktop computers were the cause.

3

On the electronic front, mobile attacks are getting more sophisticated and effective. In the coming

year, we expect to see targeted device attacks from malware, spyware, maliciousdownloads/mobile apps, phishing, and spam. Because of their ubiquity and disruptive growth,Androids and iPhones have emerged as particularly popular platforms for attack.

To help IT security professionals plan for an increasingly mobile electronic workforce, Websense,Inc. and Ponemon Institute have created this Global Study on Mobility Risks. We surveyed 4,640IT and IT security practitioners in the United States, United Kingdom, Australia, Brazil, Canada,France, Germany, Hong Kong, Italy, India, Mexico, and Singapore. Fifty-four percent aresupervisors or above, 42 percent are employed by organizations with more than 5,000employees, and they have an average tenure of 10 years.

We define mobile devices as laptops, USB drives, smartphones, and tablets, and asked aboutfour major issues:

Importance of mobile devices in reaching business goals. Existence of enforceable policies that govern the use of mobile devices. Security risks created by employee use of mobile devices.

1Dr. Larry Ponemon and Stanton Gatewood, Ponemons Predictions: Trends in IT Security, Webinar sponsored by

ArcSight, May 17, 20112

Ponemon Institutes security tracking study of 116 global companies with a special carve-out on mobile-connecteddevices used by employees, conducted September 2010 through March 20113Ponemon Institute, Perceptions about Network Security, June 2011

Ponemon Institute Research Report Page 1


3/27

2

Security technologies that reduce or mitigate mobility risks.

The top findings are alarming, but not surprising:

Fifty-nine percent of respondents report that employees circumvent or disengage securityfeatures such as passwords and key locks.

During the past 12 months, 51 percent of the organizations in this study experienced dataloss resulting from employee use of insecure mobile devices, including laptops, smartphones,USB devices, and tablets.

Seventy-seven percent of respondents agree that the use of mobile devices in the workplaceis important to achieving business objectives. A similar percentage (76 percent) believes thatthese tools put their organizations at risk. Only 39 percent have the necessary securitycontrols to address the risk, and only 45 percent have enforceable policies.

Sixty-five percent of respondents are most concerned with employees taking photos orvideos in the workplaceprobably due to fears about the theft or exposure of confidentialinformation. Other unacceptable uses include downloading and using internet apps (44percent) and using personal email accounts (43 percent). Forty-two percent say that

downloading confidential data onto devices (USB or Bluetooth) is not acceptable in theirorganizations.



4/27

3

Part 2. Analysis of key findings

In this section, we discuss the consolidated findings for all 12 countries represented in the study.The purpose of this research is to examine the impact employees mobile devices have on thesecurity of sensitive and confidential information and how organizations are responding to therisks. The complete audited findings are presented in the appendix.

Due to the importance of mobile devices for business reasons, more organizations need tohave the necessary security controls in place. Seventy-seven percent of respondents say thatemployee use of mobile devices is essential or very important to their organizations ability tomeet its business objectives. They also acknowledge that employee use of these devices putstheir organizations at risk. Only 39 percent say that they have the necessary security controls inplace to mitigate or reduce the threat as shown in Bar Chart 1.

Bar Chart 1: Perceptions about the use and risks of employees mobile devicesStrongly agree & agree responses combined

39%

76%

77%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

My organization has the necessary securitycontrols to mitigate or reduce the risk posed by

insecure mobile devices.

The use of mobile devices in the workplacerepresents a serious security threat.

The employees use of mobile devices inmeeting business objectives is essential or very

important.

Because of their many benefits, mobile devices will continue to be ubiquitous in the workplace.Restricting their use is not an option, so organizations need to address the risk through policies,processes, and enabling technologies.



5/27

4

Insecure mobile devicesincluding laptops, smartphones, USB devices, and tabletsincrease rates of malware infections. As shown in Bar Chart 2, 59 percent of respondents saythat over the past 12 months, their organizations experienced an increase in malware infectionsas a result of insecure mobile devices in the workplace, with another 25 percent unsure.

Bar Chart 2: Employees use of mobile devices in the workplace increases malwareinfections.

59%

16%

25%

Yes No Unsure

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

We asked respondents to estimate by how much malware infections increased due to theseinsecure mobile devices. Bar Chart 3 reveals that 31 percent of respondents (17 percent + 12percent + 2 percent) say that these devices are responsible for an increase of more than 50percent in malware infections. Seventeen percent do not know.

Bar Chart 3: Percentage increase in malware infections due to insecure mobile devices

17%

10%

19%23%

17%12%

2%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Dont know Less than10%

10 to 25% 26 to 50% 51 to 100% 101 to 200% More than200%



6/27

5

Many organizations had data loss or serious exploits resulting from employee use ofinsecure mobile devices. Fifty-one percent of respondents say that their organizationsexperienced a data breach due to insecure mobile devices, and 23 percent are unsure. As shownin Bar Chart 4, the consequences of mobile data breaches were serious. They include theft,removal, or loss of information and/or other resources (38 percent); and disclosure of private orconfidential information (31 percent).

Bar Chart 4: Consequences of a mobile device data breach

6%

7%

7%

10%

31%

38%

0% 20% 40% 60% 80% 100%

Corruption or modification of information

Other

Destruction of information and/or otherresources

Interruption of services

Disclosure of private or confidentialinformation

Theft, removal or loss of informationand/or other resources



7/27

6

Fifty-five percent of respondents (37 percent + 18 percent) say that their organizations donot have a policy that addresses the acceptable or unacceptable use of mobile devices byemployees or they are unsure. As shown in Bar Chart 5 in red, if they do have a policy, lessthan half (48 percent) say that the policy is enforced and 18 percent are unsure.

Bar Chart 5: Existence of mobile device acceptable/unacceptable use policies &enforcement of policies

We asked those respondents who said that there is no enforcement of these policies to providethe reasons. Primarily it is due to lack of governance and oversight (58 percent) and becauseother security issues are a priority (47 percent). Thirty-nine percent cite insufficient resources tomonitor compliance.

45%

37%

18%

48%

34%

18%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Yes No Unsure

Our organization has a policy that addresses the use of mobile devices

This policy is enforced

Bar Chart 6: Reasons for not enforcing policiesTwo choices permitted

39%

47%

58%

0% 20% 40% 60% 80% 100%

Insufficient resources to monitorcompliance with the policy

Other security issues are a priority

Lack of governance and oversight



8/27

7

Security settings and controls at the device level are required in many organizations butare often turned off. Forty-nine percent of organizations require mobile devices used in theworkplace to have appropriate security settings and controls at the device level, 38 percent do notrequire security settings, and 13 percent are unsure. Bar Chart 7 shows that of thoseorganizations that require security settings and controls, only 6 percent say that all employees arecompliant and 15 percent do not know.

Bar Chart 7: Employee compliance with mobile device security requirements

9% 11%

28%

12%

19%

6%

15%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Less than10%

10 to 25% 26 to 50% 51 to 75% 76 to 99% 100% (everydevice)

Dont know

As shown in Bar Chart 8, 59 percent say that their employees circumvent or disengage securityfeatures such as passwords and key locks. Only 29 percent say employees are compliant and donot engage in this practice. Twelve percent are unsure.

Bar Chart 8: Mobile device security features are circumvented or disengaged

59%

29%

12%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Yes No Unsure



9/27

8

The majority of respondents believe that diminished bandwidth, the loss of confidentialinformation, and a decrease in employee productivity are the negative consequences ofinsecure mobile devices. Seventy-two percent of respondents say the top negativeconsequence of mobile devices is keeping up with the need to increase bandwidth (Bar Chart 9).This is likely due to the explosion in mobile media and the sharing of videos, music, andapplications.

Sixty-eight percent say that the loss of confidential information or violation of confidentiality policyis very likely to occur. Similarly, 68 percent also see a diminishment in employee productivity.About half (49 percent) of respondents believe that a negative consequence is an increase inmalware infections.

Bar Chart 9: Negative consequences of insecure mobile devices(Already happened and very likely to happen responses combined)

49%

68%

68%

72%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

Increase in virus or malware infections

Diminishes employee productivity

Loss of confidential information or violation ofconfidentiality policy

Diminishes IT bandwidth



10/27

9

To mitigate the risks created by mobile devices, certain technologies are preferred.According to Bar Chart 10, the technologies considered essential or very important byrespondents are: device level encryption, endpoint security solution, and identity & accessmanagement (IAM).

Bar Chart 10: Preferred technologies to mitigate the risks created by mobile devices(Essential and very important responses combined)

10%

20%

21%

42%

49%

55%

60%

61%

72%

73%

78%

79%

0% 20% 40% 60% 80% 100%

Database security solution

Intrusion prevention (IPS) & intrusion detection (IDS)

Content aware firewalls

Encryption solution

Data loss prevention (DLP)

Network intelligence (SIEM)

Secure web gateway (SWG)

Mobile device management (MDM)

Anti-virus/anti-malware (AV/AM)

Identity & access management (IAM)

Endpoint security solution

Device level encryption

According to Websense, many companies make significant investments in encryption andendpoint security to protect sensitive data, but they often dont know how/what data is leavingthrough insecure mobile devices. Traditional static security solutions such as antivirus, firewalls,and passwords are not effective at stopping advanced malware and data theft threats frommalicious or negligent insiders. To safely permit corporate use of mobile devices, organizations

need data loss prevention technology that knows where critical data is saved, who is accessing it,how its attempting to leave, and where its going.

Real-time malware intelligence is also necessary because cybercriminals change their tacticsfaster than traditional security updates are pushed out. Websense recommends thatorganizations proactively deploy real-time anti-malware technology via cloud services thatcontinually analyzes and re-analyzes websites and mobile applications. Using cloud securityservices enables organizations to protect remote users anytime and anywhere. For moreinformation, read A 3-Step Plan for Mobile Security.

http://www.websense.com/assets/white-papers/whitepaper-a-3-step-plan-for-mobile-security.pdfhttp://www.websense.com/assets/white-papers/whitepaper-a-3-step-plan-for-mobile-security.pdf


11/27

10

The use of personal mobile devices is putting organizations at risk. As shown in Bar Chart11, 85 percent of respondents say that their organizations allow employees to use their personaldevices to connect to corporate email. Seventy-one percent permit access to personal (web-based) email and business applications.

Bar Chart 11: Acceptable use of mobile devices in the workplaceMore than one choice permitted

6%

44%

62%

71%

71%

85%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Other (please specify)

Non-business applications

Wi-Fi or other local networks

Personal (web-based) email

Business applications

Corporate email

According to respondents, personal devices are posing just as much risk as insecure corporatemobile devices. Fifty-eight percent say that their organization has experienced an increase inmalware infections as a result of personally owned mobile devices used in the workplace. Fifty-sixpercent say that more confidential data has been lost as a result of these devices, while 26percent are unsure (Bar Chart 12).

Bar Chart 12: Increase in malware infections and loss of confidential data

58%

19%23%

56%

18%

26%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Yes No Unsure

Our organization has experienced an increase in viruses or malware infection

The loss of confidential data has increased



12/27

11

Organizations worry about employees using their mobile device to take photos or videosin the workplace. According to Bar Chart 13, 65 percent of respondents say that this practice isfrowned upon by their organizations and is considered unacceptable. Other unacceptablepractices include: downloading and using internet apps (44 percent); using personal emailaccounts (43 percent); and downloading confidential data onto the device (42 percent).

Bar Chart 13: Unacceptable uses of mobile devicesMore than one choice permitted

4%

15%

20%

25%

42%

43%

44%

65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

Other

Using business email accounts

Personal phone calls

Downloading and watching videos

Downloading confidential data onto the device

Using personal email accounts

Downloading and using internet apps

Taking photos or videos in the workplace



13/27

12

Part 3. Significant differences among various countries

This section covers the different perceptions among IT and IT security practitioners in 12countries concerning the use of mobile devices in their organizations.

3

Perception of risk. According to Bar Chart 14, countries with organizations that are most likely tosee mobile devices as a serious threat to their organization are Italy, France, and Australia. Thecountries with organizations that are the most confident that they have the necessary controls inplace to address the threats are Singapore, Hong Kong, Germany, and Canada. Organizations inItaly and France have the highest percentage of respondents who recognize the risk of mobiledevices but they are the least likely to have the necessary security controls in place to reducerisk.

Bar Chart 14: Two attributions about employees mobile devices and the risk they poseResults shown for 12 separate country samples

53%

65%

72% 73%74% 75%

78% 78%

82%85% 86%

88%

56%58%

52%

38%35%

33%

59%

30%

39%36%

13%17%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

DE HK CA MX US UK SG IN BZ AU FR IT

The use of mobile devices represents a serious security threat to my organization.

My organization has the necessary security controls in place to mitigate or reduce therisk posed by insecure mobile devices.

3

The horizontal axis to each line graph represents the individual country sample. See Table 1 (Methodssection) for country legend used in this section.



14/27

13

Mobile devices are important tools for business. Bar Chart 15 shows that a majority oforganizations in all 12 countries consider mobile devices important to meeting businessobjectives. More respondents in organizations in Italy, France, Germany, and Brazil considermobile devices important.

Bar Chart 15: How important are mobile devices in meeting business objectivesResults shown for 12 separate country samples

61% 63%

69%71% 74%

74% 75%77%

80%

91% 91% 92%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

AU UK US CA IN MX SG HK BZ DE FR IT

Acceptable/unacceptable mobile device policy use in the workplace. According to Bar Chart16, respondents inGermany, Brazil, and Hong Kong have the most organizations with anacceptable/unacceptable use policy for mobile devices. According to respondents, organizationsin Italy, Canada, France, India, and the U.K. are less likely to have such a policy.

Bar Chart 16: Organizations that have a mobile device usage policyResults shown for 12 separate country samples

29% 31%33% 33% 34% 35%

45% 45%

52%

60% 62%

76%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

UK IN FR CA IT US MX AU SG HK BZ DE



15/27

14

Increased data loss and serious exploits due to mobile devices. Respondents incountriesthat report the most data loss and security exploits from insecure mobile devices are Italy,Canada, and Germany. Organizations with the least reported incidents are in Singapore, Brazil,and the U.K. (Bar Chart 17).

Bar Chart 17: Data loss or serious exploits due to insecure mobile devicesResults shown for 12 separate country samples

41% 43%45% 48%

50% 51% 52%53% 55%

57% 58% 58%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

UK BZ SG FR AU US MX IN HK DE CA IT

Employees disable mobile device security features. As shown in Bar Chart 18, respondents inItaly and France have the highest percentage of organizations reporting that employeescircumvent or disengage mobile device security features, including passwords and key locks.Organizations in Germany and Canada report the lowest percentage.

Bar Chart 18: Employees circumvent mobile device securityResults shown for 12 separate country samples

32%

45%

55% 56%60% 60% 61%

63% 65%66%

72%75%

0%

10%

20%30%

40%

50%

60%

70%

80%

90%

100%

DE CA SG UK HK US MX BZ AU IN FR IT



16/27

15

Increase in malware infections. According to Bar Chart 19, a higher percentage of respondentsin Germany, Hong Kong, Canada, India, and Australia report an increase in malware infections asa result of personally owned mobile devices used in the workplace. Organizations in Italy andBrazil report the lowest malware infections. The majority of organizations in all countries say thatthe loss of confidential data has increased as a result of personally owned mobile devices in theworkplace (not shown in the bar graph).

Bar Chart 19: Mobile devices pose risks to sensitive dataResults shown for 12 separate country samples

42%

52%55% 56% 56%

58% 58%61% 61% 63%

64% 65%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

BZ IT FR US SG UK MX AU IN CA HK DE



17/27

16

Part 4: Summary and recommendations

In every part of the globe, IT and IT security practitioners recognize the positive impact thatmobility brings to productivity. Benefits include 24/7 access to email, corporate documents, andother essential information. The challenge is how to ensure that mobile device use does not

jeopardize the security of sensitive and confidential information.

Here are five recommendations on how to effectively manage security technology and enjoy thebusiness benefits of mobile devices:

Understand the risk that mobile devices create in the workplace. Conduct a risk assessmentto understand what practices may be putting your organization at risk, such as storing largeamounts of confidential data that are at high risk for data leakage and loss.

Educate employees about the importance of safeguarding their mobile devices. Riskybehavior includes downloading apps and free software from unsanctioned online stores thatmay contain malware, turning off security settings, not encrypting data in transit or at rest,and not promptly reporting lost or stolen devices that may contain confidential and sensitiveinformation.

Create a comprehensive mobile device policy (including detailed guidelines) for allemployees and contractors. The policy should address the risks and the security proceduresthat should be followed.

Use enabling technologies to detect and prevent data theft and mobile malware danger.Implement layers of security where device management capabilities are supplemented byadvanced secure access controls, threat protection provided by cloud services, and data theftprotection at the endpoint to identify valuable intellectual property and protect it.

Use policy controls to keep productivity and resource utilization in check.



18/27

17

Part 5: Details, methods, and limitations

The table below reports the sample response for the 12 country samples. The sample responsewas conducted over a 30-day period ending in July 2011. Our consolidated sampling consisted of116,491 individuals who have bona fide credentials in the IT or IT security fields. From thissampling frame, we captured 5,131 returns of which 491 were rejected for reliability issues. Ourfinal consolidated sample before screening was 4,640, thus resulting in a four percent responserate.

Table 1: Sample response for 12 countries

Country LegendSampleframe Returns Rejections

Finalsample

Responserate

United States US 15,775 655 54 601 3.8%

United Kingdom UK 9,885 419 32 387 3.9%

Canada CA 8,701 451 30 421 4.8%

Germany DE 11,063 560 25 535 4.8%

Australia AU 6,503 329 29 300 4.6%

Singapore SG 5,003 277 18 259 5.2%

Hong Kong HK 4,993 256 35 221 4.4%Brazil BZ 11,090 504 76 428 3.9%

Mexico MX 12,509 398 52 346 2.8%

India IN 13,010 560 49 511 3.9%

France FR 9,005 367 40 327 3.6%

Italy IT 8,954 355 51 304 3.4%

Total 116,491 5,131 491 4,640 4.0%

Pie Chart 1 summarizes the approximate position levels of respondents in our study. The majority(54 percent) of respondents are at or above the supervisory level. The average experience in ITor IT security is 10.35 years.

Pie Chart 1: Distribution of respondents according to position levelConsolidated for 12 separate country samples

1% 2%

14%

21%

16%

27%

13%

4% 3%

Senior Executive

Vice President

Director

Manager

Supervisor

Technician

StaffContractor

Other



19/27

18

Pie Chart 2 reports the respondents primary industry segments. Seventeen percent are infinancial services, which includes banking, investment management, insurance, brokerage,payments, and credit cards. Another 17 percent are in public sector organizations, includingcentral and local government.

Pie Chart 2: Distribution of respondents according to primary industry classification

Consolidated for 12 separate country samples

Pie Chart 3 shows that a majority of respondents (71 percent) are located in large organizationswith more than 1,000 employees.

17%

17%

10%

8%8%

6%

5%

5%

4%

4%

3%

3%3%

2%5%

Financial services

Public sector

Health & pharma

Industrial

Retail

Services

Technology

Hospitality

TransportationEducation & research

Communications

Energy

Entertainment & media

Defense

Other

Pie Chart 3: Distribution of respondents according to organizational headcountConsolidated for 12 separate country samples

12%

17%

29%

22%

14%

6%

Less than 500 people

500 to 1,000 people

1,001 to 5,000 people

5,001 to 25,000 people

25,001 to 75,000 people

More than 75,000 people



20/27

19

Limitations

There are inherent limitations to survey research that need to be carefully considered beforedrawing inferences from findings. The following items are specific limitations that are germane tomost web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sentsurveys to a representative sample of IT and IT security practitioners in 12 countries,resulting in a large number of usable returned responses. Despite non-response tests, it ispossible that individuals who did not participate are substantially different in terms ofunderlying beliefs from those who completed the survey.

Sampling-frame bias: The accuracy is based on contact information and the degree to whichthe list is representative of individuals who are IT or IT security practitioners who deal withnetwork or security issues. Responses from paper, interviews, or telephone might result in adifferent pattern of findings.

Self-reported results: The quality of survey research is based on the integrity of confidentialresponses received from respondents. While certain checks and balances were incorporatedinto our survey evaluation process, some respondents may not provide their true opinions.



21/27

20

Appendix: Audited Findings

The following tables report the percentage frequencies for all survey questions relating to mobility risks inthe workplace (Part 2). The consolidated values for 12 separate country samples are reported. See Table 1for additional details. Please note that Part 1 of the survey instrument is not reported here. These additionalsurvey questions pertain to the use of social media devices in the workplace and were presented in aseparate report, Global Survey on Social Media Risks in September 2011. All survey responses were

gathered in July 2011.

Country samples Consolidated

Sample frame 116,491

Returned surveys 5,131

Rejected surveys 491

Final sample 4,640

Response rate 4.0%

Part 2. Mobile device

Attributions: Five-point scale from strongly agree to strongly disagree. Reported isstrongly agree and agree responses combined.

Consolidated

Q13a. The use of mobile devices in the workplace represents a serious security

threat to my organization.

76%

Q13b. My organization has the necessary security controls in place to mitigate orreduce the risk posed by insecure mobile devices used in the workplace.

39%

Q14. How important is the employees use of mobile devices in terms of meetingyour organizations business objectives? Scale is from essential to irrelevant.Reported is essential and very important responses combined.

77%

Q15a. Does your organization have a policy that addresses the acceptable orunacceptable use of mobile devices by employees?

Consolidated

Yes 45%

No 37%

Unsure 18%Total 100%

Q15b. If yes, is this policy enforced? Consolidated

Yes 48%

No 34%

Unsure 18%

Total 100%

Q15c. If you answered no in Q15b, why isnt the policy enforced? Please select onlytwo choices.

Consolidated

Insufficient resources to monitor compliance with the policy 39%

Other security issues are a priority 47%

Lack of management concern 26%

Lack of technology solutions 21%

Lack of governance and oversight 58%

Other (please specify) 6%

Total 198%

http://www.websense.com/content/ponemon-institute-research-report-2011.aspx?cmpid=prhttp://www.websense.com/content/ponemon-institute-research-report-2011.aspx?cmpid=pr


22/27

21

Q16. What is an unacceptable use of a mobile device by employees within yourorganization?

Consolidated

Personal phone calls 20%

Downloading confidential data onto the device (USB or Bluetooth) 42%

Using business email accounts 15%

Using personal email accounts 43%

Downloading and using internet apps 44%

Downloading and watching videos 25%

Taking photos or videos in the workplace 65%


Total 258%

Q17. What percentage of mobile devices used in the workplace are infected byviruses or malware? Your best guess is welcome.

Consolidated

None 14%

Less than 1% 13%

1 to 5% 20%

5 to 10% 18%

11 to 25% 6%

26 to 50% 6%51 to 75% 3%

More than 75% 6%

Dont know 14%

Total 100%

Q18a. Over the past 12 months, did your organization experience an increase inviruses or malware infections as a result of insecure mobile devices used in theworkplace?

Consolidated

Yes 59%

No 16%

Unsure 25%

Total 100%

Q18b. If yes, approximately (in percentage terms) how much did viruses andmalware infections increase during the past 12 months? Your best guess iswelcome.

Consolidated

Less than 10% 10%

10 to 25% 19%

26 to 50% 23%

51 to 100% 17%

101 to 200% 12%

More than 200% 2%

Dont know 17%

Total 100%

Q19. Please rate the likelihood of each one of the following scenarios happening

because of employees use of insecure mobile devices in the workplace. Please usethe five-point scale provided below each item from already happens to never.Reported are the already happened and very likely to happen responses combined.

Consolidated

Q19a. Diminishes IT bandwidth 72%

Q19b. Diminishes employee productivity 68%

Q19c. The loss of confidential information or violation of confidentiality policy 68%

Q19d. An increase in virus or malware infections 49%



23/27

22

Q20a. During the past 12 months, did your organization experience any data loss orserious exploits resulting from employees use of insecure mobile devices?

Consolidated

Yes 51%

No 26%

Unsure 23%

Total 100%

Q20b. If yes, what was the nature of the data breach or security exploits? Consolidated

Destruction of information and/or other resources 7%

Corruption or modification of information 6%

Theft, removal or loss of information and/or other resources 38%

Disclosure of private or confidential information 31%

Interruption of services 10%


Total 100%

Q21a. Does your organization require mobile devices used in the workplace to haveappropriate security settings and controls at the device level?

Consolidated

Yes 49%

No 38%Unsure 13%

Total 100%

Q21b. If yes, what is the approximate percentage of mobile devices used in theworkplace that have appropriate security settings and controls? Your best guess iswelcome.

Consolidated

Less than 10% 9%

10 to 25% 11%

26 to 50% 28%

51 to 75% 12%

76 to 99% 19%

100% (every device) 6%

Dont know 15%Total 100%

Q22a. Do employees in your organization ever circumvent or disengage mobiledevice security features including passwords and key locks (a.k.a. jailbreak)?

Consolidated

Yes 59%

No 29%

Unsure 12%

Total 100%



24/27

23

Q22b. If yes, what is the approximate percentage of employees who disengage orturn-off security features on their mobile device? Your best guess is welcome.

Consolidated

Less than 10% 8%

10 to 25% 7%

26 to 50% 37%

51 to 75% 19%

76 to 100% 5%

Dont know 24%

Total 100%

Q23. In your opinion, who in your organization is most likely to cause serioussecurity problems because of insecure mobile devices?

Consolidated

Senior level executives 13%

Supervisors and managers in non-IT areas of the organization 14%

Supervisors and managers in IT areas of the organization 18%

Staff and associate level employees in non-IT areas of the organization 22%

Staff and associate level employees in IT areas of the organization 8%

Contractors and part-time employees 19%Other (please specify) 6%

Total 100%

Q24. In your opinion, how important is each one of the following enabling securitytechnologies at reducing or mitigating security threats caused by the use of mobiledevices in the workplace? Please indicate your opinion using the following scale:Essential to irrelevant. Reported are essential and very important responsescombined.

Consolidated

Mobile device management (MDM) 61%

Data loss prevention (DLP) 49%

Anti-virus/anti-malware (AV/AM) 72%

Intrusion prevention (IPS) & intrusion detection (IDS) 20%

Content aware firewalls 21%

Identity & access management (IAM) 73%

Endpoint security solution 78%

Database security solution 10%

Device level encryption 79%

Network intelligence (SIEM) 55%

Encryption solution 42%

Secure web gateway (SWG) 60%


Total 623%

Q25. Approximately, what percentage of mobile devices used in the workplace areowned by employees (rather than provided by the organization)? Your best guess iswelcome.

Consolidated

None 14%Less than 10% 6%

10 to 25% 8%

26 to 50% 31%

51 to 75% 15%

76 to 100% 9%

Cannot determine 18%

Total 100%



25/27

24

Q26. Do you allow employees personally owned mobile devices to connect to anyof the following within your corporate IT infrastructure? Please check all that apply.

Consolidated

Corporate email 85%

Personal (web-based) email 71%

Business applications 71%

Non-business applications 44%

WIFI or other local networks 62%Other (please specify) 6%

Total 340%

Q27. Did your organization experience an increase in viruses or malware infectionsas a result of personally owned mobile devices used in the workplace?

Consolidated

Yes 58%

No 19%

Unsure 23%

Total 100%

Q28. Has the loss of confidential data increased as a result of personally ownedmobile devices in the workplace?

Consolidated

Yes 56%No 18%

Unsure 26%

Total 100%

Part 3. Organizational characteristics & respondent demographics

D1. What organizational level best describes your current position? Consolidated

Senior Executive 1%

Vice President 2%

Director 14%

Manager 21%

Supervisor 16%

Technician 27%

Staff 13%

Contractor 4%

Other 3%

Total 100%

D2. Total years of relevant experience Consolidated

Total years of IT or security experience 10.35

Total years in current position 4.70



26/27

25

D3. Check the primary person you or your IT security leader reports to within theorganization.

Consolidated

CEO/Executive Committee 1%

Chief Financial Officer 3%

General Counsel 1%

Chief Information Officer 62%

Compliance Officer 11%

Human Resources VP 1%

CISO/CSO 14%

Chief Risk Officer 3%

Other 6%

Total 100%

D4. What industry best describes your organizations industry focus? Consolidated

Communications 3%

Defense 2%

Education & research 4%

Energy 3%

Entertainment & media 3%

Financial services 17%Health & pharma 10%

Hospitality 5%

Industrial 8%

Public sector 17%

Retail 8%

Services 6%

Technology 5%

Transportation 4%

Other 5%

Total 100%

D5. Where are your employees located? (Check all that apply): Consolidated

United States 87%Canada 63%

Europe 67%

Middle East & Africa 38%

Asia-Pacific 70%

Latin America (including Mexico) 68%

D6. What is the worldwide headcount of your organization? Consolidated

Less than 500 people 12%

500 to 1,000 people 17%

1,001 to 5,000 people 29%

5,001 to 25,000 people 22%

25,001 to 75,000 people 14%

More than 75,000 people 6%Total 100%



27/27

26

Ponemon InstituteAdvancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsibleinformation and privacy management practices within business and government. Our mission is to conducthigh quality, empirical studies on critical issues affecting the management and security of sensitiveinformation about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strictdata confidentiality, privacy and ethical research standards. We do not collect any personally identifiableinformation from individuals (or organization identifiable information in our business research). Furthermore,we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improperquestions.

Documents

Report Ponemon Mobility Risks 1202 En