ISACA has released insights from its 2012 IT Risk/Reward Barometer. The results from this study confirm an understanding of the risk posed by employee activities with both work and personal devices. For example, a consistently high percentage of respondents across all regions cited the storing of passwords in a file on a personal device as posing a high risk to the enterprise (ranging from 72% in Asia Pacific to 81% in the US). This fluctuated more dramatically when referring to the same habit, but on a work-supplied device (ranging from 44% in the UK to 74% in Africa).
The study, conducted amongst 4,500 IT professionals from 83 countries, many management level and above, illustrates that organisations view ‘people’ as a high risk. Additionally, ‘bring your own device’ (BYOD) is a phenomenon that most are still grappling with. Corporate data travelling across geographical boundaries also poses a serious threat to an organisation’s security posture.
Speaking about the trends the study reveals, Ramsés Gallego, international vice president of ISACA and security strategist for Dell/Quest Software said, “The information world is changing at the speed of light and this study confirms that many are struggling to keep pace—especially when it comes to managing their risk. The organisation’s perimeter is blurring, as it shifts from a physical boundary to wherever an individual happens to be at any given moment, with whatever device happens to be in their hand at the time. For example, if I travel to Singapore or Chicago with a corporate-owned laptop, my smartphone and tablet, I take the organisation’s perimeter with me. Organisations must embrace BYOD, as it’s the way people want to work. And, while BYOD sounds like an invitation to bring a personal device, the truth is people are using their devices whether the organisation wants them to or not.”
The loss of a work-supplied computer or smartphone was also identified as a high risk (scoring between 56% and 88%), and the use of online file-sharing services for work documents also featured highly (between 60% and 76%). Interestingly, when looking at what enterprises do and do not allow, many actually prohibit the use of online file-sharing services (ranging from 56% to 67%); although, Oceania and Africa seem to be more tolerant of this trend, (47% and 49% respectively).
Many of the organisations surveyed said they limit using a work-supplied device for personal use (ranging between 45% and 61%), while the harder stance of actually prohibiting personal devices for work purposes fluctuated widely (between 16% in Oceania and 40% in the UK). There was a greater consensus amongst respondents that the risk outweighs the benefit from BYOD, where employees are allowed to use personal devices for work activities, scoring between 47% and 60%.
Where respondents confirmed that BYOD was allowed within their organisation, the most frequently cited benefits across all regions were greater efficiency, increased productivity, cost reductions, and satisfaction of and flexibility for employees.
However, security controls imposed for personal devices were worryingly low, as less than half of respondents confirmed that encryption was used to protect data stored on them (the highest score of 48% was in Europe). While password management systems scored slightly higher (the highest being 50% in Africa), it still averaged less than half with some regions scoring significantly lower dropping to just 39% in the UK. Perhaps a little more reassuringly, although still scoring poorly and less consistently, was the percentage of organisations that had remote wipe capability for personal devices (varying between 23% and 46%).
Another interesting result is the lack of controls surrounding the practice of travelling with business data on a mobile device, irrespective of ownership, across country borders (on average two thirds of the organisations surveyed do not have a policy to prohibit this). With many countries re-examining their data privacy laws—Germany being a recent example—this is set to become an issue organisations need to address, and quickly. The use of location-based apps (e.g. Foursquare) may be beneficial in knowing where employees are; however, individuals may be less receptive to the prospect of being tracked. At present, the majority of organisations do not have a policy in place governing the use of these apps, with less than 12% prohibiting their use for all staff.
While the greatest hurdle enterprises faced when addressing IT-related business risks varied across the regions—budget limits, lack of management support and insufficient resources were cited most often—all regions concurred that increasing risk awareness among employees was the most important action the enterprise can take to improve IT risk management.
Gallego stated, “In summary, the barometer results demonstrate that employees need to understand their responsibilities—what they can and cannot do and what devices are acceptable to do it with. And, organisations need to take control if they are to manage the risk posed to the enterprise from mobile devices, regardless of ownership. The bottom line is protecting data, and ultimately the ‘brand’. For many, this may mean the capability to remote wipe devices—regardless of ownership—when a serious risk is inevitable, either because the device has been misplaced, local legislation is breached, or alternative ramifications introduced as deemed appropriate. Organisations must develop the right approach, dependent on their attitude to risk, that allows them to embrace and adapt.”