More than ever, end users rely on smartphones to keep them connected both personally and professionally. As a result, enterprises now must support a wide variety of both enterprise- and employee-liable devices – a trend known as the consumerization of IT. However, the conversation around the consumerization of IT almost always revolves around what IT departments think of this rapidly growing trend. So, Symantec recently conducted a short survey to learn more about end users’ experiences and perspectives on the consumerization of IT.
Our intention was to simply get a glimpse into the thoughts and opinions of end users; thus, we used Symantec’s social media channels – specifically Facebook and Twitter – to recruit respondents. In the end, 154 individuals participated in the survey. Most of the respondents (61 percent) were from North America, but the Europe, Middle East and Africa (28 percent); Asia Pacific and Japan (8 percent); and Latin America (three percent) regions were also represented.
Let’s walk through each of the key findings to take a deeper look at what indications from the survey results led us to our conclusions.
Key Finding: End users realize the productivity and satisfaction benefits of allowing employees to use the smartphones of their choice for work, but don’t fully comprehend the extent of the security challenges this creates.
The vast majority of the respondents to our survey said they think allowing end users to use the smartphones of their choice for work increases end user productivity and satisfaction. However, most also think that allowing employees to use the smartphones of their choice either has no impact on or only somewhat decreases the overall security of their company’s networks and information. This is an indication that enterprises might not be educating employees on the potential security risks these devices create and how to best keep them and the data on and accessible through them protected.
Key stats include:
· 71 percent of respondents think letting employees use the smartphone of their choice for work-related activities somewhat to significantly increases employee productivity.
· 85 percent also think it somewhat to significantly increases employee satisfaction.
· 23 percent also think letting employees use the smartphone of their choice for work-related activities has no impact on the overall security of company networks and information, and another 52 percent think it only somewhat decreases the overall security.
Key Finding: The consumerization of IT has already become a reality for most organizations.
The vast majority of respondents also said their company allows employees to use the smartphones of their choice for work-related activities. As further evidence that the consumerization of IT trend is in full swing, nearly identical percentages of respondents said their employer provided them with their smartphone as those who said they purchased their own. Together, these results demonstrate the consumerization of IT is no longer an emerging trend; for many enterprises, it is simply a reality.
Key stats include:
· 63 percent of respondents said their company allows employees to use the smartphones of their choice for work-related activities.
· Another 25 percent said their company allows employees to use the smartphone of their choice within a set list of smartphone options.
· Only 12 percent of respondents said their company does not give employees the ability to choose their smartphone.
· 44 percent of respondents said their employer provided them with their smartphones.
· 43 percent said they purchased their own work-related smartphones.
Key Finding: Despite most organizations allowing employees to use their work-related smartphones for personal use, they are still struggling to effectively communicate mobile device policies and/or best practices.
Nearly all respondents said their companies allow employees to use their work-related smartphones for personal use, but just over half said their employer has communicated policies and/or best practices to them regarding the security of their devices. Given that completely unmanaged personal use of a work-related smartphone could potentially open security holes in an enterprise’s networks, this is a good start, but more must be done.
Key stats include:
· 91 percent of respondents said their company allows employees to use their work-related smartphones for personal use as well.
· Only 51 percent said their employer has communicated policies and/or best practices to them regarding the security of their smartphones.
Key Finding: The mobile device security policies and/or best practices that are being communicated primarily deal with the loss or theft of devices, with malicious apps still taking a backseat.
Of those respondents who had been briefed by their employer on smartphone security policies and/or best practices, the need to password protect mobile devices was the most commonly communicated, while the least were guidelines around the downloading of apps for smartphones. Given the fact that the majority of malicious malware for smartphones being observed by Symantec involves legitimate apps that have been Trojanized and re-published on third-party app hosting sites, organizations need to do better at communicating policies and/or best practices related to downloading apps.
Key stats include:
· 88 percent of respondents said their employer has communicated policies and/or best practices to them related to password protecting their smartphones.
· 65 percent said their employer has communicated policies and/or best practices to them for which smartphones are allowed to connect to company resources based on mobile platform.
· 62 percent said their employer has communicated policies and/or best practices to them related to using security software on their smartphones.
· 42 percent said their employer has communicated policies and/or best practices to them for downloading apps to their smartphones.
Key Finding: Employees are using smartphones to access sensitive and confidential information, and while organizations are improving in their efforts to ensure that these devices are secure and properly managed, more needs to be done.
Despite the fact that nearly half of respondents said they are not aware of any mobile device security and/or management software or tools their company uses in relation to their devices, nearly three-fourths said they access information that could be considered sensitive or confidential with their devices. The most common sensitive information accessed is competitive or proprietary data and personally identifiable information.
Key stats include:
· 42 percent of respondents said they are not aware of any mobile device security and/or management software or tools their company uses in relation to their devices.
· 73 percent said they use their work-related smartphones to access information that could be considered sensitive or confidential.
o 73 percent of the potentially sensitive or confidential information accessed by respondents is competitive or proprietary data.
o 67 percent of the potentially sensitive or confidential information accessed by respondents is personally identifiable information.
Key Finding: End users don’t fully realize the potentially sensitive nature of the information stored on smartphones.
We gave our survey takers four options – laptop, smartphone, wallet and car keys – and asked which of these items if lost would cause the greatest emotional distress. In the first place column, the majority ranked wallet first, followed by laptop, smartphone and car keys. This indicates end users realize the direct financial loss and threat of identity theft possible with the associated loss of a wallet, which could contain a driver’s license, credit and debit cards and other personally identifiable information, such as a social security card. However, as smartphones become more ingrained in end users’ daily routines, the amount of sensitive information and data stored on these devices is increasing and that this data can also lead to direct financial loss and/or identity theft.
Key stats include:
· 52 percent of end user respondents ranked wallet first.
· 27 percent ranked laptop first.
· 13 percent ranked smartphone first.
· 8 percent ranked car keys first.
Key Finding: Smartphones rank high on end users’ must-have technology lists.
Asked what they would give up before giving up their smartphone, the vast majority of our respondents said they would give up their MP3 player, one-third said they would give up their TV and a quarter even said they would give up their laptop. This highlights the fact that, as smartphones become more sophisticated, end users are using them for an ever increasing list of daily activities, and in many instances can even replace existing specialized technology with their smartphones. As end users store more of their digital lives on mobile devices, the need to properly secure and manage them will only increase.
Key stats include:
· 82 percent of respondents said they would be willing to part with their MP3 player before giving up their smartphone.
· 49 percent said they would be willing to part with their DVR before giving up their smartphone.
· 43 percent said they would be willing to part with their tablet computer before giving up their smartphone.
· 35 percent said they would be willing to part with their TV before giving up their smartphone.
· 24 percent said they would be willing to part with their laptop before giving up their smartphone.
Key Finding: Despite being tech savvy smartphone users, some people just shouldn’t be parents.
Just for fun, we also included “firstborn child” in the list of items to choose from that respondents would give up before parting ways with their mobile devices. Unexpectedly, a couple of respondents actually selected this option. We at Symantec know just how cool smartphones are, but for their children’s sake, we hope those respondents never actually have to make that decision! Just somewhat more forgivable, nearly a third of the respondents also said they would give up their favorite food for a year before handing over their smartphone.
Key stats include:
· 1 percent of respondents said they would be willing to part with their first born child before giving up their smartphone.
· 29 percent said they would be willing to part with their favorite food for a year before giving up their smartphone.
There you have it, the key findings from our consumerization of IT end user survey. To close, here is a quick recap of the top mobile security and management best practices users and enterprises alike should follow. These will help keep both mobile devices and the data accessible through them safe:
· Encrypt the data on mobile devices– The business-related and even personal information stored on mobile devices is often sensitive. Encrypting this data is a must. If a device is lost and the SIM card stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.
· Use security software on your smartphone– Security software specifically designed for smartphones can stop hackers and prevent cybercriminals from stealing information or spying on users when using public networks. It can also eliminate annoying text and multimedia spam messages. It can detect and remove viruses and other mobile threats before they cause problems.
- Develop and enforce strong security policies for using mobile devices – In addition to encryption and security updates, it is important to enforce password management and application download policies for managers and employees. Maintaining strong passwords will help protect the data stored in the phone if a device is lost or hacked.
· Make sure all software is up-to-date– Mobile devices must be treated just like PCs in that all software on the devices needs to be kept up-to-date, especially the security software. This will protect the device from new variants of malware and viruses that threaten a company’s critical information. Enterprises should consider implementing a mobile management solution to ease this process.
· Avoid opening unexpected text messages from unknown senders– Just like emails, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users. The same caution should be applied to opening unsolicited text messages that users have become accustomed to with email.
· Click with caution– Just like on stationary PCs, social networking on mobile devices and laptops needs to be conducted with care and caution. Users shouldn’t open unidentified links, chat with unknown people or visit unfamiliar sites. It doesn’t take much for a user to be tricked into compromising a device and the information on it. All of the same best practices applied to social networking on PCs should be applied to network-connected mobile devices. These best practices include:
- Check privacy settings regularly to make sure account and information is as secure as possible.
- Users shouldn’t answer yes when prompted to save their passwords to a computer. Instead, they should rely on a strong password committed to memory or stored in a dependable password management program.
- Users shouldn’t accept “friend” or “follower” requests from individual’s they don’t know.
- Users shouldn’t click on links in messages, even if from a known “friend,” that seems strange or out of character. A common method used by attackers is to pose as a friend and send messages to users asking something like, “This you in this funny video?” However, there is in reality no video and when the user tries to open the “video” file, they are infected with malware.
- Users should never post social networking messages indicating their location, especially if away from home. In a similar vein, they shouldn’t post messages indicating they will be away from home on a specific date or time, such as being on vacation.
· Users should be aware of their surroundings when accessing sensitive information– Whether entering passwords or viewing sensitive or confidential data, users should be cautious of who might be looking over their shoulder.
· Focus on protecting information as opposed to focusing on the devices– Instead of solely focusing on the mobile devices themselves, IT departments should take a step back and look at where the organization’s information is being stored and should then protect those areas accordingly.
· Know what to do if a device is lost or stolen– In the case of a loss or theft, employees and management should all know what to do next. Processes to deactivate the device and protect its information from intrusion should all be in place. Products are also available for the automation of such processes, allowing small businesses to breathe easier after such incidents.
· Mobile management is key– A well managed device is a secure device. Enterprises should consider implementing a mobile management solution to ensure all devices that connect to their networks are policy compliant and free of malware.
Finally, for those of you who just can’t get enough of our survey, here is a look at the survey’s full results: http://www.zoomerang.com/Shared/SharedResultsSurveyResultsPage.aspx?ID=L26B6QZ2QQQZ.