Secure data access in a mobile universe - Cisco · mobile devices, including personal devices covered under a BYOD policy. Preventing the data from being stored on a mobile device

Secure data access in a mobile universeA report from the Economist Intelligence Unit

Sponsored by

Secure data access in a mobile universe

© The Economist Intelligence Unit Limited 20121

Preface 2

Executive summary 3

Introduction 5

Modern mobility: where are we now? 6

Loss, theft and bad habits: what are fi rms doing to meet the challenges? 8

Ever-more data on the go: the emerging trends 11

How can companies ensure effective mobile policies? 13

Conclusion 15

Appendix: survey results 16

Contents

1

2

3

4

5



Preface

An ever-growing use of consumer communication devices in the workplace and a need to maximise the productivity of executives and workers on the move are requiring businesses to respond. Secure data access in a mobile universe explores how companies can accommodate rising demands for mobile access to business information while minimising the security risks to proprietary data. As the basis for the research, the Economist Intelligence Unit in June 2012 conducted a global survey of 578 senior executives. The survey explores how organisations are—or should be—responding to current and emerging challenges stemming from an unstoppable trend towards “bring your own device” (BYOD), as well as rising worker mobility more generally. We also undertook a series of in-depth interviews. The fi ndings and views expressed in this report do not necessarily refl ect the views of the sponsor. The author was Lynn Greiner. Michael Singer and Justine Thody edited the report and Mike Kenny was responsible for the layout. We would like to thank all of the executives who participated in the survey and interviews, including those who provided insight but did not wish to be identifi ed, for their valuable time and guidance.

Interviewees

Lucy Burrow, director of IT governance, King’s College London

Mike Cordy, global chief technology offi cer, OnX Enterprise Solutions

Steve Ellis, executive vice-president, Wells Fargo

Jay Leek, chief information security offi cer, Blackstone Group

Arturo Medina, information technology director, Ipsos Mexico

Bill Murphy, chief technology offi cer, Blackstone Group

Al Raymond, vice-president, Aramark

Ashwani Tikoo, chief information offi cer, CSC India



In the late 1990s portable laptops and mobile devices emerged that allowed executives to be productive while away from their offi ces. Devices like the IBM ThinkPad and RIM BlackBerry ushered in an era of multifunction mobile equipment that proved irresistible for the C-suite. Today, the world’s mobile worker population has expanded far beyond corner offi ces and is expected to reach 1.3bn people, or nearly 38% of the total workforce, by 2015, according to IDC, a technology research fi rm. By some estimates, as many as 76% of companies currently support a “bring your own device” (BYOD) policy, suddenly thrusting them into the position of securing access to data on devices they might not own. Most of those fi rms say they allow employees to use personal devices to make more effective decisions, avoid missed

opportunities and work more effectively with their partners and customers—the same reasons driving companies to enable mobile data access on fi rm-owned devices.

In June 2012 the Economist Intelligence Unit conducted a global survey, sponsored by Cisco, of 578 senior executives to explore their perspectives on securing data on mobile devices. The principal research fi ndings are as follows:

l Most executives are uneasy about their company’s mobile data-access policies. Although 42% of respondents said the C-suite needs secure and timely access to strategic planning data to be most productive, only 28% believe it is appropriate to make this data accessible to it on mobile devices. Nearly half of

Executive summary

The survey questioned 578 senior executives worldwide. The respondents were based primarily in North America (29%), Western Europe (25%) and the Asia-Pacific region (27%), with the rest from the Middle East and Africa, Latin America and Eastern Europe. Of the total number of respondents, 23% were from the US, 10% from India, 7% from Canada and 6% from the UK. In terms of seniority, 27% were at the CEO level, 17% at the senior vice-president level and 15% at the manager level.

With respect to organisation size, 55% were from companies with revenue of US$500m or more annually, with 22% of those with revenue of US$10bn or more. Respondents represented a wide variety of industries, in particular IT and technology (13%), financial services (11%), professional services (11%) and energy and natural resources (9%). Functionally, respondents identified their primary roles as general management, business development, finance and sales and marketing.

Who took the survey?



respondents (49%) say the complexity of securing multiple data sources and a lack of knowledge about mobile-access security and risk (48%) are top challenges for their companies.

l Larger companies are most willing to allow mobile access to critical data, but also impose stricter rules. More than 90% of companies with revenue over US$1bn allow access to data via either personal or company-owned devices. However, more than half of organisations with over US$5bn in revenue allow access only on company devices, while a third also permit access on personal devices. By contrast, only 37% of companies with revenue under US$500m insist on company-owned devices, while 47% permit access on personal devices as well. Mobile users within larger fi rms, however, must stay within the lines of approved devices requiring multiple policy signoffs.

l Mobile policies must not neglect social networking. While 56% of survey respondents have policies covering acceptable use of social networks via mobile devices, 33% of executives

surveyed are restricted from discussing their work on social media platforms. Close attention to policies around social networking can enable effective interaction while still protecting corporate data assets and avoiding liability.

l Available infrastructure is the key infl uence on company policies around mobile access. While 44% of respondents say pressure from executives is one of the most important infl uences on policy, that number is dwarfed by the 60% who cite IT infrastructure requirements. This indicates an opportunity exists for companies offering services to secure and manage mobile access.

Is the mobile data access trend unstoppable? The short answer is yes; more sophisticated devices that offer a better user experience only serve to accelerate the trend. This means policies are mandatory, not optional. Getting employees involved in shaping those policies certainly increases the likelihood of compliance, according to executives interviewed for this research.



Adopting the right policies around mobile data access is becoming an increasing concern for many companies. Senior employees, as much as younger recruits, are demanding access to corporate data anywhere, anytime, on mobile as well as fi xed devices. And many companies are realising that supporting mobile-device policies can pay dividends in the form of increased engagement and productivity—including a greater willingness to be responsive outside of working hours. BYOD-friendly workplaces are also more likely to attract tech-savvy workers, which usually helps spur innovation.

As devices proliferate and lines between consumer and corporate IT continue to blur, the challenges companies face in adapting to this

cultural shift will grow. Expanding the scope of business data access presents obvious business risks, as well as technological challenges. Portable devices can be lost or stolen. People may share their devices with friends or relatives, increasing the risk of leakage of confi dential data. Often these data are accessed from software applications not sanctioned by the company. But it is increasingly futile for IT departments to try to control the devices people bring to work, or to control how people use devices outside the offi ce. They must respond to the increased vulnerability of corporate data networks by enforcing effective safeguards, both to protect business-critical data and to comply with regulatory environments in every region in which the company operates.

Introduction



Modern mobility: where are we now?1Nearly one billion smart connected devices were shipped worldwide in 2011, a number expected to double by 2016, according to IDC, a technology research fi rm. These devices include PC-based products such as laptops and netbooks, mobile phones and tablets. The Economist Intelligence Unit survey showed that many people use multiple devices, most often a combination of laptop and smartphone, although tablets are increasing in penetration. Worldwide tablet shipments in the second quarter of 2012 grew by 33.6% over the fi rst quarter and 66.2% over the same quarter in 2011, according to IDC’s estimates. We expect to see signifi cant growth in the use of tablets after the release of the next generation of software operating systems. Added collaboration and communication features on newer tablets will attract executives with a wider range of data-access options than smartphones.

Supporting executives on the road with information fed to their mobile devices allows them

to make quick, informed decisions, especially at critical times, such as business negotiations, notes Ashwani Tikoo, chief technology offi cer of CSC India, an IT services provider. In the second-largest operations centre for CSC global, Mr Tikoo is responsible for security policies that protect business data on mobile devices. Instant availability of data allows sales people to make the right decisions on the spot, rather than making the customer wait, he says. To prevent data loss, CSC’s security policies require data encryption on all mobile devices, including personal devices covered under a BYOD policy.

Preventing the data from being stored on a mobile device is another strategy. Al Raymond, vice-president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the

QExecutives may not discuss any facet of their work on social networks, but are permitted personal use

Only authorised spokespersons are permitted to access social networks on corporate devices

Executives have unrestricted access to social networks

Executives may not access social networks on corporate devices

Other

Executive mobile social policiesWhat policies does your organisation face around social network use on corporate devices? (% respondents)

Source: Economist Intelligence Unit survey, June 2012.

33

26

19

18

5



device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.

Similar challenges exist around social networking on mobile devices outside of the offi ce, although company policies often restrict executive participation. Thirty-three percent of executives responding to the EIU survey said that they were not allowed to discuss any facet of their work on social networks, and another quarter said that only authorised spokespersons were permitted to even access social networks on corporate devices. Executive use of social networking will continue to be restricted, either by policy or unwritten agreement, to protect corporate information and limit liability, our research found.

Of course, different job seniorities require access to different types of data and our survey yielded few surprises here. Among C-level

executives, fi nancial information (60%) and strategic planning (42%) were signifi cant productivity drivers. Managers look for operational data (44%) and sales-and-marketing data (43%), while lower-ranked staffers most need access to customer (42%) and operational data (42%). Making effective decisions (52%) and avoiding missed opportunities (42%) are the top reasons that senior executives seek mobile access to critical business data, according to our survey. Liaison with third parties—such as suppliers—comes particularly high on the list for smaller companies; 42% of respondents at fi rms with revenue under US$500m put this in their top three, compared with 37% of all fi rms. This need to stay connected helped transform email into a must-have application on mobile devices and remains the primary tool used by executives in our study to access business data remotely (81%).

In regions like Latin America in which face-to-face contact is preferable for market research, smartphones and tablets are replacing pencil and paper as the survey tools of choice. Ipsos, a global market research firm, embraced this shift toward using mobile devices in its operations in Mexico and elsewhere. The company currently operates in 84 countries and has 16,000 full-time employees. Its research spans multiple methodologies from online to in-person, resulting in more than 70 million interviews per year worldwide.

Ipsos currently provides company-owned handhelds to its interviewers, but it is working on a new approach, says Arturo Medina, IT director at Ipsos Mexico. “Since the cost of custom mobile devices are quite expensive, we are adopting a hybrid model of ‘bring your own device’ policies,” he says.

In the hybrid model under development, interviewers are offered a choice of one of three smartphone models that Ipsos knows can run its interviewing software. Employees pay for their own device through incremental payroll deductions. Under normal circumstances, Mr Medina says workers will own the device outright in 2-3 weeks.

Ipsos provides a VPN connection to its company data, while the employee pays for all other smartphone functions. Ipsos manages the devices so it can remotely expunge business information if necessary. The data accessed on the smartphone are encrypted, preventing some losses. Interviewers must also adhere to corporate usage policies. The interviewers have the fl exibility to use one device everywhere, notes Mr Medina, yet the company has suffi cient control to protect its data assets.

CASE STUDY Ipsos, a hybrid approach



Implementing systems to secure company data accessed across an array of different platforms costs money. So it is not surprising that only survey respondents from the largest companies feel confi dent about their fi rms’ data-security arrangements. While 45% of respondents from fi rms with annual revenue of US$10bn or more say that their fi rm has state-of-the-art data security measures in place, this falls to just 10% for respondents from smaller companies (US$500m). Moreover, even among fi rms with revenues between US$500m and US$5bn, as many as a third describe their companies policies as inadequate or completely inadequate.

Overall, our executive respondents accept the need for investment, with 69% rating security service investment a priority. But our research indicates that more needs to be done to educate executives about security risks. Some companies that believe they have strong security nevertheless allow risky practices. For example, among those executives who said their fi rms have industry-leading security practices (20%), 13% said there are no restrictions on their social-networking activities. This practice, of course, carries risk of accidental exposure of confi dential company information. Our research found that setting social-networking policies can both enable effective interaction and help protect corporate data assets and avoid liability.

With fewer resources than their larger counterparts, smaller companies face stiffer challenges in securing mobile data. Nearly 40% of

respondents from companies with annual revenue of US$500m or less described their company’s mobile data security policies as inadequate or completely inadequate. As with larger organisations, smaller companies with enforced, written policies can go a long way towards securing corporate data at relatively low cost. Devices sold in the last few years have built-in encryption that need only be activated. However, additional management tools are often needed to automate security processes, forcing smaller fi rms to balance purchasing protective technologies with lower-cost approaches like holding employees to security policies.

As the power of even the smallest mobile devices continues to increase, so does the risk of losing data for the most low-tech of reasons. Kensington, a US computer peripheral manufacturer, says more than 70m smartphones are lost annually, with only 7% recovered. Laptops are not immune either, with Kensington’s research showing that 10% will be lost or stolen over the life of the PC. Three-quarters of the losses occur during transit or while the employee is working at a remote location. A large percentage of those lost machines contain some type of business data.

The average cost of a corporate data breach incident reached US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That is more than double the average cost in 2005. Mr Raymond of Aramark thinks that these fi gures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and

Loss, theft and bad habits: what are fi rms doing to meet the challenges?2



a few major ones that may reach US$25m–500m. Of particular concern to companies looking to

prevent data breaches caused by employees, many mobile data losses are a direct result of user carelessness. Ponemon’s 2011 Cost of Data Breach Study found that anywhere from 30% to 40% of breaches were caused by negligence, followed by those due to malicious attacks (43%). The study found 50% of breaches from Italian companies were generated by the loss or theft of a mobile device. Only Germany (42%), France (43%) and

Australia (36%) experienced more breaches caused by malicious attacks than those caused by negligence. India was the only country in which system glitches surpassed negligence and malice as causes of breaches.

Some notable mobile data losses illustrate how easily a breach can occur. The Cancer Care Group, an Indianapolis cancer clinic, lost the personal data of more than 55,000 patients as well as those of its employees in July 2012 when an employee’s laptop containing server backup fi les was stolen

Since the “bring your own device” model is comparatively new, there are few tried-and-tested industry standards for BYOD policies. Typically, if an employee leaves the company, voluntarily or otherwise, company data must be quickly removed, preferably without interfering with the employee’s personal information. Acceptable use policies for BYOD usually include a clause permitting this. Companies can also protect themselves legally by modifying their existing mobile policies, recommends a June 2012 National Law Review brief. Policies that centre on harassment, discrimination and equal-employment opportunities policies, confidentiality and trade-secret-protection policies, and compliance and ethics policies may all be updated to protect companies against worker abuse of mobile policies.

As a safeguard against risky executive practices, many companies install software on the employee’s device to lock down its software, encrypt data and perform other administrative functions, such as updating calendars or applying security updates. Intrusive though this may sound for the employee, most mobile-device policies require some type of remote administrative access controls. Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifi cally for business. Proper confi guration and good usage practices must be monitored and enforced centrally, Aramark’s Mr Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.

Mr Raymond says his company takes an alternative approach to device-centric mobile-security administration. Workers use the mobile device purely as a viewer, leaving company data

on corporate servers that can be accessed securely and do the heavy computing, and not on the device itself. Methods of doing this, which include using virtual desktop technology and accessing data through web-based services like Salesforce.com, are becoming more widespread because mobile access to secure networks enables company-controlled encryption, authentication and management.

Arturo Medina at Ipsos, which imposes similar network-based controls, recommends a constant dialogue with employees to ensure compliance and prevent unauthorised downloads of corporate data. “Make clear the boundaries of sensitive information and user information, as well as what gets backed up as corporate info and what is considered personal information,” Mr Medina advises.

Getting a grip on BYOD

Q

Specifying approved devices

Requiring sign off on acceptable use policy

Monitoring applications on devices

Requiring defined security software on personal devices

Requiring a secure virtual environment on personal devices

Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device)

Restricting mobile data access to specific apps

No restrictions, executives have free access to whatever data is available

BYOD policiesHow has your organisation implemented BYOD for access to critical data? Select all that apply. (% respondents)


25

32

14

31

25

21

18

20



from a locked vehicle. The data were not encrypted, contrary to best practices. The MD Anderson Cancer Center, a Texas medical clinic, suffered two breaches between June and July 2012. While one incident was caused by an unencrypted portable USB key lost on a bus, another took place when a laptop, also unencrypted, was stolen from a faculty member’s home. Information on over 30,000 patients was compromised in the two breaches. After the second breach, the facility began a project to encrypt all of its data.

Companies can prevent many data breaches by

adding password protection to mobile devices, be they laptops, smartphones or portable data storage devices, and by full encryption of the disk or USB key.

These devices should also be secured physically. For instance, they should not be left in unattended vehicles, even locked ones. Mobile phones and some PCs (those equipped with Intel’s VPro technology) can be remotely disabled and wiped clean of data if they go missing; the more sensitive the data they hold, the more critical it is that such a mechanism is put in place, since encryption can be broken.



Almost 90% of organisations worldwide allow mobile access to critical data, according to the International Telecommunication Union (ITU), a UN agency. Of those organisations identifi ed in the EIU survey that do not have formal BYOD policies, 25% say they plan to implement a programme in the next 12-18 months. They note that this type of programme makes for more motivated employees, an observation upheld by independent research. According to research conducted in August 2012 by iPass, a US mobile software company, many employees work up to 20 additional unpaid hours per week when they’re always connected. Almost 90% of iPass respondents said that wireless connectivity is as important a component of their lives as running water and electricity.

Though more employees are working outside of the offi ce, establishing a mobile-access programme including BYOD is not an option for some fi rms. Highly regulated banking and fi nance companies have strict policies that prohibit letting executives access company data from their own

devices. Steve Ellis, executive vice-president of Wells Fargo, notes that his company is approaching BYOD with caution and is currently evaluating options. A formal plan may be another year away, Ellis says. Other companies with no formal BYOD policy report seeing personal devices slip in under the radar. Before the introduction of Aramark’s formal mobile policy ten months ago, people had no defi ned rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and confi gurations, the company knows precisely who has access and to which data. “It is no longer a wink and a nod,” Mr Raymond says. The higher the visibility of your program, the more likely it will be adhered to.

Policies aside, the nature of devices has changed as well. Currently, just over a quarter (27%) of critical data access is occurring by means of smartphones, according to our survey. Respondents expect this to rise to over a third

Ever-more data on the go: the emerging trends3

Q


Smart phone

Tablet

Laptop

Executive access devicesWhat devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents)

85

41

85



(35%) in the next 12-18 months, with another 30% of critical data accessed by means of other mobile devices, up from a fi fth currently. With the advent of newer software and the associated devices, tablets are poised to become a more widely used mobile window to corporate data for executives, perhaps even supplanting smartphones one day, according to an article in The Economist (October 2011). Their larger screen size expands the range of data that can be effectively viewed, and, supplemented by external keyboards, they enable

easier interaction with apps. Interestingly, although 42% of respondents said

the C-suite needs secure and timely access to strategic planning data to be most productive, only 28% believe it is appropriate to make this data accessible to it on mobile devices. The main challenge, unsurprisingly, is concern about potential security and other risks. Nevertheless, only 11% of respondents to our survey say their organisation does not provide access to critical data outside the offi ce.

The US Equal Employment Opportunity Commission (EEOC) FY 2012 budget was slashed by nearly 15%, from US$17.6m to US$15m. Needing to reduce operating costs, Chief Information Officer Kimberly Hancher reduced the agency’s mobile device budget by half. To help fill the gap, the agency launched a mobile BYOD pilot project. The project focused on providing employees with access to agency email, calendars, contacts and tasks. A few senior executives were provided “privileged” access to the agency’s internal systems as part of the project.

In the initial testing phase, 40 volunteers turned in their government-issued BlackBerry devices and instead used their personal smartphones. Information security staff, legal staff and the employees’ union generated rules that balanced employee privacy (social media policies, monitoring policies) with government security, such as the US National Institute of Standards and Technology (NIST) regulation SP 800-53 (also known as “Recommended Security Controls for Federal Information Systems and Organisations”). The second phase of the programme launched in June 2012. The EEOC worked with its contractors

to confi gure agency email access for employees participating in the secondary testing. The agency’s remaining 468 employees using EEOC-issued BlackBerry devices were offered three choices:

1. Voluntarily return the BlackBerry and bring a personal Android, Apple or BlackBerry smartphone or tablet to work.

2. Return the BlackBerry and get a government-issued cell phone with voice features only.

3. Keep the BlackBerry with the understanding that the EEOC does not have replacement devices.

EEOC managers report positive results from the pilot so far. Employees pay for their own voice and data usage and the agency covers the licenses for the management software. The EEOC’s Mr Hancher noted that, for some employees, the cost may be an issue and there is an outstanding question of whether the agency will be able to provide some sort of reimbursement for part of the data and voice services. Mr Hancher notes that success was achieved by involving employees, the union and legal departments early in the process.

CASE STUDY US EEOC launches mobility pilot



Survey respondents clearly recognise the advantages of enabling mobile data access and are aware of the necessary investments. Some of the measures that companies need to adopt to secure corporate data accessed by mobile devices can be put in place remotely. IT managers can currently add security features to laptops, smartphones and tablets, often using existing management tools. They can also separate company data from personal data as well as duplicate and store business data on corporate networks. Virtual desktops provide secure mobile access to data on personal laptops. These safeguards allow mobile

workers to recoup data on a lost or damaged device with little effort. These measures will allow more executives in the future to access corporate data securely from any computer, according to our executive interviewees.

For the travelling C-level executive, less time spent updating security protocols means more time for getting work done. In the future data security will be strengthened with the help of technologies built directly into applications that protect the data itself, making interception and misuse more diffi cult, CSC’s Mr Tikoo said. “Applications should be able to recognize that I am working on an iPad

How can companies ensure effective mobile policies?4

Q


Today In the future

Mobile empowermentIn what ways is your company empowering access to critical data today and how might that change in the future? Select one answer in each column for each row.(% respondents)

Providing access to multiple types of data

Providing secure mobile environments to allow access to critical data

Enhancing secure access to data (eg, mobile device generated security tokens)

Training executives to usemobile data more effectively

Enabling customised mobile views of data

Providing mobile apps to accesscritical data on multiple platforms

Providing secure cloud-basedenvironments for mobile use

Designing intuitive mobile user interfaces

Incorporating new communication/data access methods (eg, QR codes, NFC)

60 47

45 43

41 45

36 42

24 58

20 52

20 57

15 48

14 47



or a little 5-inch screen and render the data to me appropriately.”

Mr Raymond says that although his business doesn’t require it, separate environments for business and personal use are important. But if the policies surrounding them, or any other security measures, are not enforced, there will be consequences. He says he is always surprised when speaking with his peers at how much of security in large organisations is just “smoke and mirrors”. The words are there, the enforcement is not.

Ipsos, a global research company, requires every employee to complete a security-awareness training course delivered over its corporate intranet—a cost-effective way to reach its staffers in 84 countries. While its programme was internally developed, commercially available security-awareness products that can be customised for local needs are readily available from organisations such as the US National Security Institute (NSI). Employees are also required to sign a mobile

acceptable use policy that covers everything from the type of data they may access from a mobile device to rules concerning password strength.

Other security safeguards require reliable action on the part of users. While mobile devices should have passwords, Coalfi re, an audit and compliance fi rm, estimates only half of personal devices currently do. Employees in a BYOD programme must agree that if their personal devices are lost or stolen, the IT department’s responsibility includes remotely wiping out information on personal devices to protect company data.

There is clearly some way to go in most organisations to educate staff on the security issues raised by mobile access of company data. The survey indicated that executives outside Europe and North America are more likely to resist data-security policies on personal devices. Yet, in an increasingly interconnected business world, security gaps in one region can affect compliant companies (and their customers) elsewhere.



Not only will mobile data access expand, the trend is unstoppable. Unmanaged and unsecured devices have already crept into the business environment, putting company data at risk and opening the door to attacks through compromised devices. Almost one-third of respondents in our survey report inadequate mobile device policies at their companies. Establishing sensible, workable policies is a fi rst step to achieving a viable mobile data access programme.

Executives classifying their device policies as industry-leading indicate they use data on-the-go to make more effective and collaborative decisions, avoid missed opportunities and work more effectively with partners and customers. To ensure that this access won’t compromise business data, executives may want to prioritise programmes that mitigate risk and support investments in data and security services.

Connected devices are becoming increasingly

integral to global business. The type of device in use is evolving, with tablets being the up-and-coming device of choice. We can expect to see signifi cant growth in the use of tablets after the release of the next generation of software operating systems, which will give tablets a wider range of data-access options than smartphones. This will be a mixed blessing, analysts believe, as tablets will be supplemental devices to existing systems, not replacements.

Securing critical data in the future may mean creating even more stringent access requirements. The shift towards tablets for business outside the offi ce, for example, will open up a whole new set of challenges because it will encourage executives to seek mobile access to a wider range of data. It will require many companies to take a fresh look at the whole issue, from devices and their weaknesses through available infrastructure to the users themselves.

Conclusion5



Appendix:survey results

Percentages may not add to 100% owing to rounding or the ability of respondents to choose multiple responses.

Industry leading (my organisation has a written, formal, enforced policy for the management and use of mobile devices)

Adequate (my organisation has informal guidelines that are monitored and enforcement action taken when necessary)

Inadequate (my organisation has informal or formal guidelines that are neither monitored not enforced)

Completely inadequate (my organisation has no formal or informal policy for the use and management of mobile devices)

Don’t know

Based on your observations, how does your organisation’s mobile device policy compare to those of its competitors within your industry?(% respondents)

20

47

19

11

3

Making more effective decisions

Avoiding missed opportunities

Working more effectively with third parties (suppliers, partners, customers, etc)

Empowering executives

Keeping up with competitive pressures

Maximising more business functions

Satisfying internal demand

Controlling costs

Other

We have no need for mobile data access

What leading business factors are driving the need for access to critical data from mobile devices? Select up to three.(% respondents)

52

42

37

37

31

27

21

16

3

1



Yes, on company-owned devices only

Yes, on either company or personally-owned devices

No

I don’t know

Does your organisation allow access to critical data outside the office? (% respondents)

43

46

11

1

Smartphone

Tablet

Laptop

Pager

Other

We do not provide company-owned devices to executives

What devices does your organisation provide to its executives to access critical data? Select all that apply. (% respondents)

85

41

85

2

1

3

Yes

No

I don't know

Does your organisation allow executives to bring their own devices (BYOD) and use them instead of company-owned devices to access critical data? (% respondents)

49

49

3

Specifying approved devices

Requiring sign off on acceptable use policy

Monitoring applications on devices

Requiring defined security software on personal devices

Requiring a secure virtual environment on personal devices

Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device)

Restricting mobile data access to specific apps

No restrictions, executives have free access to whatever data is available

How has your organisation implemented BYOD for access to critical data? Select all that apply. (% respondents)

25

32

14

31

25

21

18

20



Yes

No

I don't know

Does your organisation plan to implement BYOD for access to critical data? (% respondents)

20

55

25

Corporate security or risk concerns

Corporate IT concerns over difficulty managing personal devices

Corporate IT resistance to supporting executives’ personal devices

Executive resistance to policy restrictions on personal devices

Cost of required device management infrastructure

Other

Allocation or management of charges on executive devices

What do you perceive is the biggest obstacle to implementing BYOD for access to critical data? (% respondents)

50

14

14

9

6

4

4

Multiple data sources, each requiring distinct security measures

Lack of knowledge about security/risk of mobile access

Lack of resources to manage/secure data access

Classifying data to determine risk profile for each source

Lack of apps for all required platforms (eg, there may be an iPhone app, but not one for Android)

Data unsuitable for remote access

Executive resistance to security measures

Lack of resources to develop needed apps/access methods

Legacy systems are prohibitive

Lack of mobile access for some locations

Other

We do not face this challenge

In your opinion, what are the greatest challenges your company faces in securing access to critical data over mobile devices, whether owned by the firm or the executive? Select up to four. (% respondents)

49

48

34

34

25

23

22

21

16

12

1

5



Availability of data

Departmental or organisational standards

Availability of mobile data access apps

Type of access method (on site vs remote)

Speed at which up-to-date information is required

Cost

Screen size of the device accessing the data

Regulatory compliance

User preferences

Other

Besides your job title, what determines which data are/will be made available to mobile devices? Select up to three. (% respondents)

40

32

31

30

29

23

21

20

19

3

Departmental or organisational standards

Availability of data

Type of access method (on site vs remote)

Cost

Regulatory compliance

Availability of mobile data access apps

Speed at which up-to-date information is required

User preferences

Screen size of the device accessing the data

Other

What determines which users are/will be permitted to access critical data on mobile devices? Select up to three. (% respondents)

54

28

25

24

23

21

20

19

9

3



IT infrastructure requirements to accommodate mobile access

Pressure from executives needing anywhere/anytime access to data

Legal/regulatory requirements around data management

Pressure from security/risk management

Competitive pressure, wanting to be perceived as up-to-date by customers and competitors

Pressure from senior management who wish to use personal devices

Cost

Other

What are the most important influences on company policies and approaches towards creating a mobile device and application strategy? Select up to three. (% respondents)

60

44

40

39

31

23

19

1

E-mail

Financial information

Strategic planning

Competitive intelligence

Operational data

Sales and marketing

Customer information

Human resources

News or social network feeds

Other

Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —C-level executivesSelect up to three for each role. (% respondents)

74

60

42

35

24

18

10

8

6

1



E-mail

Operational data

Sales and marketing




Human resources

Strategic planning


Other

Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —Business managersSelect up to three for each role. (% respondents)

75

44

43

30

26

23

15

13

8

1

E-mail

Operational data



Sales and marketing

Human resources



Strategic planning

Other

Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive? —EmployeesSelect up to three for each role. (% respondents)

80

42

42

23

20

17

7

7

4

1



E-mail


Strategic planning


Operational data

Sales and marketing



Human resources

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices? —C-level executivesSelect up to three for each role. (% respondents)

81

45

28

28

22

19

15

11

8

1

E-mail

Operational data

Sales and marketing





Human resources

Strategic planning

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices? —Business managersSelect up to three for each role. (% respondents)

81

38

37

25

19

19

17

14

9

1



E-mail

Operational data



Sales and marketing

Human resources



Strategic planning

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices?—EmployeesSelect up to three for each role. (% respondents)

82

35

33

33

18

12

5

5

3

1

E-mail




Operational data

Strategic planning

Sales and marketing


Human resources

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —C-level executivesSelect up to three for each role. (% respondents)

60

27

25

23

21

21

19

14

7

2



E-mail

Sales and marketing

Operational data





Human resources

Strategic planning

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —Business managersSelect up to three for each role. (% respondents)

59

33

29

26

22

16

14

12

6

2

E-mail


Operational data


Sales and marketing

Human resources



Strategic planning

Other

Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage? —EmployeesSelect up to three for each role. (% respondents)

62

34

28

25

17

10

7

5

3

2

Yes No Don’t know

All international locations

All locations in your region

All departments

All roles

Does your organisation provide mobile access to data for each of the following groups? (% respondents)

54 34 12

67 27 6

56 37 7

35 58 7


© The Economist Intelligence Unit Limited 2012 25

Yes

No

I don’t know

Does your organisation have policies in place for acceptable use of social networks (eg, Facebook, Twitter) on corporate devices? (% respondents)

56

39

5

Executives may not discuss any facet of their work on social networks, but are permitted personal use

Only authorised spokespersons are permitted to access social networks on corporate devices

Executives have unrestricted access to social networks

Executives may not access social networks on corporate devices

Other

What policies does your organisation face around social network use on corporate devices? (% respondents)

33

26

19

18

5

100:0 90:10 80:20 70:30 60:40 50:50 40:60 30:70 20:80 10:90 0:100

Company owned

What is the ratio of time you spend on company-owned vs personal-owned mobile devices for your organisation? Drag the slider button to choose a relevant percentage split that reflects how each option should be weighted (eg, 60% to 40%). (% respondents)

12 23 17 13 6 9 3 3 2 3 9

1 High priority 2 3 4 5 Not a priority

Investing in data services

Investing in mobile services

Investing in security services

What kind of priority does your organisation accord to the following strategies? Rate on a scale of 1 to 5, where 1=High priority and 5=Not a priority. (% respondents)

27 35 25 9 4

16 29 31 15 9

37 32 19 9 3



What is the proportion of critical data you access over mobile channels today? Total should be 100%

AverageMobile via smart phone 26.9

Mobile on other devices (eg, tablet) 21.7

Non-mobile access 59.8

What will be the proportion of critical data you access over mobile channels in 12-18 months? Total should be 100%

AverageMobile via smart phone 34.5

Mobile on other devices (eg, tablet) 30.2

Non-mobile access 42.8




Training executives to use mobile data more effectively


Providing mobile apps to access critical data on multiple platforms

Providing secure cloud-based environments for mobile use



In what ways is your company empowering access to critical data today and how might that change in the future? —Today Select one answer in each column for each row.(% respondents)

60

45

41

36

24

20

20

15

14


Providing secure cloud-based environments for mobile use

Providing mobile apps to access critical data on multiple platforms





Training executives to use mobile data more effectively


In what ways is your company empowering access to critical data today and how might that change in the future? —In the FutureSelect one answer in each column for each row.(% respondents)

58

57

52

48

47

45

43

42

47



Provide wider data support for mobile devices

Identify risks that are not currently apparent

Further improve business process efficiencies

Provide access to data from more data sources

Identify opportunities that are not currently apparent

Improve customer service

Speed up process improvements

Provide access based on user’s role and/or device type

Increase consumer engagement

Drive new revenue streams

Innovate on more diverse and timely feedback

Other

In the next 12–18 months, what does your organisation expect to do with access to critical data that it is not currently able to do? Select all that apply.(% respondents)

47

46

45

44

40

34

33

32

27

23

17

1

Asia-Pacific

Latin America

North America

Eastern Europe

Western Europe

Middle East and Africa

In which region are you personally located?(% respondents)

27

9

29

3

25

6

United States of America

India

Canada

United Kingdom

Germany

Singapore, Australia, Brazil, Mexico

Italy, Hong Kong, Switzerland, China, Nigeria, Spain

France, Belgium, Netherlands, South Africa, Finland, Japan, Malaysia,New Zealand, Portugal, United Arab Emirates, Chile, Sweden, Russia,Bahrain, Bulgaria, Colombia, Czech Republic, Hungary, Israel, Pakistan,Philippines, Poland, Taiwan, Thailand

In which country are you personally located?(% respondents)

23

10

7

6

4

3

2

1

45

9

17

7

22

$500m or less

$500m to $1bn

$1bn to $5bn

$5bn to $10bn

$10bn or more

What are your organisation’s global annual revenues in US dollars?(% respondents)



Board member

CEO/President/Managing director

CFO/Treasurer/Comptroller

CIO/CTO/Technology director

Other C-level executive

SVP/VP/Director

Head of Business Unit

Head of Department

Manager

Other

Which of the following best describes your title?(% respondents)

5

27

8

5

8

17

3

8

15

3

IT and technology

Financial services

Professional services

Energy and natural resources

Healthcare, pharmaceuticals and biotechnology

Manufacturing

Consumer goods

Government/Public sector

Telecoms

Chemicals

Entertaining, media and publishing

Transportation, travel and tourism

Retailing

Education

Logistics and distribution

Construction and real estate

Agriculture and agribusiness

Aerospace and defence

Automotive

What is your primary industry?(% respondents)

13

11

11

9

8

8

6

5

4

3

3

3

3

3

3

2

2

2

1

General management

Strategy and business development

Finance

Marketing and sales

IT

Operations and production

Information and research

R&D

Risk/Security

Procurement

Customer service

Human resources

Supply-chain management

Legal

What is your main functional role?(% respondents)

30

17

15

10

7

5

3

3

2

2

2

2

2

1


© The Economist Intelligence Unit Limited 2012 29

Whilst every effort has been taken to verify the accuracy of this

information, neither The Economist Intelligence Unit Ltd. nor the

sponsor of this report can accept any responsibility or liability

for reliance by any person on this white paper or any of the

information, opinions or conclusions set out in the white paper.

Cove

r: S

hutt

erst

ock

London26 Red Lion SquareLondon WC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: [email protected]

New York750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: [email protected]

Hong Kong6001, Central Plaza18 Harbour RoadWanchai Hong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: [email protected]

GenevaBoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: [email protected]

Documents

Secure data access in a mobile universe - Cisco · mobile devices, including personal devices covered under a BYOD policy. Preventing the data from being stored on a mobile device