Nearly 40% of IT professionals felt fully aware of the mobile devices accessing their infrastructure and application, according to a survey of more than 500 IT professionals. Around 35% felt that they were fairly aware of mobile devices accessing their infrastructure, and 14% said they were only vaguely aware.
“This was a surprise to me. I’m not seeing this level of knowledge. My experience is that the majority of people I’m working with are concerned that they don’t have enough knowledge about what is connecting to their networks”, commented Kevin Johnson, founder of Secure Ideas consulting, during a webcast last week sponsored by SANS to discuss the survey results.
“Virtually every customer I talked to tells me that they are surprised by what they discover on their network”, added Tom Murphy, chief marketing officer at Bradford Networks. “I don’t think anyone is completely aware of all the mobile devices on their network.”
Daniel Miessler, principal security consultant with HP ShadowLabs, observed that IT professionals are feeling “ambushed by mobile as opposed to strategically planning it out like you would do with a rollout.”
The survey found that IT professionals are managing multiple mobile device types, with RIM’s Blackberry being the mostly commonly supported mobile device, followed by Apple’s iPhone and iPad, and Google’s Android.
“It is less common that organizations say to employees ‘This is what you are going to use and nothing else’. What we are seeing instead is that multiple platforms are being supported”, said Johnson, whose firm conducted the survey.
“Clients want the ability to not only manage the mobile device, but the security of the transaction the mobile device is making. It could be an application, it could be a policy, it could be a permission….They want to be able to manage all of the different apps and operating systems simultaneously and have full visibility when the CEO brings in the iPad or the Android tablet”, said Adam Stein, marketing manager at MobileIron.
According to the survey, more than 50% of respondents either did not have policies to support bring your own device (BYOD) or they depended on the user to comply with corporate policy for securing these personally owned devices. Only 41% felt strongly that they have policies to support BYOD, of which 17% are standalone policies and 24% are integrated as an aspect of their overall security policies. Some 56% of respondents either did not have a policy regarding mobile devices or “sort of” had policies.
“Of those organizations that have a policy, many are taking a layered approach by using multiple means of managing risk at the endpoint, on the network and even on the device itself….If policy mirrors that market, then organizations will need to take great care assessing their infrastructures and user needs as well as mapping out a strategy that meets current and perceived future mobility programs”, the report concluded.