Last week, 451 Research analyst Daniel Kennedy released a report which revealed that corporate data protection is the top mobile concern for security managers. How much of a concern? Forty-two percent (42%) of the security managers they spoke to cited data security as the top priority. The next highest concern was user-owned devices (BYOD) at 11%. While I am not surprise that data security is the top concern and BYOD is second, I must confess that I find the huge delta between the two concerns surprising. With BYOD such a distant second, it is apparent that security managers do not feel that company data, such as PII, PHI, PCI and intellectual property (IP), is safe even on corporate-owned devices.
So why is this? I think primarily it is the pressure that organizations are under from workers to extend business workflow to mobile devices. A recent IBM sponsored survey, The State of Mobile Security Maturity by Information Security Media Group (iSMG), found that 97% of organizations allow the use of mobile devices in some capacity to enable work efficiency. Let that one sink in… only 3% of organizations are not using mobile devices for work-related purposes. Even if most of the organizations only allow email access from mobile devices (phones and tablets), that is still a considerable data risk. Email attachments could contain huge amounts of PII, or the secrets to a new invention not yet patented.
What security managers realize is that protecting the device alone is not sufficient to protect the organization from data loss. The same iSMG survey found that the most sought after capabilities mobile security managers are looking for are: 1) an encrypted container for enterprise content, 2) restricted sharing of enterprise content to non-enterprise approved apps, 3) the ability to wipe only enterprise data (BYOD), and 4) the ability to encrypt specific data items.
Do these requirements match your goals for protecting data on mobile devices?