This is the basic finding of a new survey published today by Blue Coat. Fundamentally, it shows that users have greater faith in the security of their mobile devices than that held by their employers’ IT staff.
Eighty-eight percent of users believe their mobile devices are at least relatively secure; but 77% of IT managers see the risk of malware spreading to the corporate network from mobile devices as moderate to very high. The result, caught in the cross-fire of desire from the users, and fear of security for the business, is often a policy that is both insecure and inefficient.
For example, 83% of companies allow access to email via mobile devices while 56% allow access to instant messaging. But far fewer companies allow access to business applications such as ERP (31%), sales force automation (24%) and supply chain management (19%) via these same devices. Because a primary method of infection is still via email, the security of the applications is not ensured simply by denying direct access to them. But the problem gets worse since many organizations aren’t even aware of what is happening. IT staff believe that around 37% of users access the corporate network via mobile devices, while almost double that number (71%) of employees actually claim to do so.
The clear impression is one of confusion – most businesses simply do not have a consistent and effective BYOD policy. The problem seems to be twofold. Firstly, BYOD security cannot be handled by traditional perimeter defense around the data center, and secondly a ‘this phone is my phone’ attitude from the users. The same survey finds that only 12% of employees would allow restrictions on what sites they visit.
In conversation with infosecurity, John Yun, Blue Coat’s director of product marketing suggested that any solution needs to cater for both of these issues. Firstly, he suggested, if you cannot bring the mobile device within the perimeter defense, extend that perimeter to include all of the devices. This can be achieved by combining cloud-based security with a VPN. The idea is to use a VPN from the device to a cloud-based perimeter defense before onward passage to the internet at large. The new defensible cloud-based perimeter automatically includes all mobile devices that can access the corporate servers, and can include a firewall, anti-virus and URL filtering to keep the mobile device secure. The secure mobile devices could then be trusted to access business applications as well as simply email, thus maximizing the corporate BYOD policy.
This would require an agent on the mobile device – an idea that users currently reject. Here Yun believes that the idea needs to be better sold: a security partnership between the user and the company, with a flexible policy that gives the user personal freedom but corporate security. By installing policy management within the same cloud-based security, restrictions and monitoring of websites visited can be canceled during personal time, and active during work time. However, the user would get full-time security (the firewall and anti-virus) protecting his or her personal details on the mobile device.
Today Blue Coat launches such a service, extending, says Steve Schoenfeld, vice president of product management, “threat protection and policy controls from the corporate network to mobile devices, wherever they are, to give employees the access they want and businesses the confidence that their users and data are protected.”