Mind the gap: security and mobile devices

In our first research release, InsightaaS.com teams with Leger 360 to look at Canadians’ use of personal devices to access and store corporate data — and at their attitudes towards security. The results of the 1500 surveys are sobering, as the infographic resulting from this initial research shows

Mind the Gap - wikimedia


In May, principals from what would come to be known as InsightaaS joined forces with Leger Marketing to investigate two related issues: the extent to which individual-owned devices (as compared to corporate-owned devices) are used to access corporate information, and the approaches used to secure these devices and the data that resides on them.

This is a question that has been causing stress in Canadian IT shops for at least two years, since the BYOD (bring your own device) phenomenon, amplified by use of personal email and Dropbox accounts, began to take root in the Canadian business environment. IT managers have tools that can be used to protect data in corporate environments and on corporate devices — but to what extent, we wondered, do individuals use their personal technology for business purposes, and how active are they in securing these devices and the data that they download onto them?

In preparation for a larger project, InsightaaS and Leger asked 1500 Canadians questions about business usage of personal technology and about security approaches associated with personal devices accessing corporate resources. The findings indicate that while BYOD is widespread in Canada, there is little real individual understanding of how to safeguard corporate resources that are accessed through or reside on these devices. Indeed, the initial quote (furnished by a project team member) provides a succinct summary of Canadian attitudes in this area: "I’ll use my device — you worry about the security."

Legerpic2BYOD in the Canadian context

The Leger/InsightaaS survey found that 46% of Canadian employees use their smartphones for work purposes, and that 42% transfer corporate data to these devices — and that this is by no means the only intersection of personal technology and corporate information. More than 60% download and/or access corporate information from home computers, nearly half will send corporate information to their personal email accounts, and a similar proportion use portable storage devices (such as USB drives) to transport corporate information. In all, 72% of Canadian employees keep or access corporate data on personal devices.

There is widespread recognition that loss of corporate data would have a negative effect on employers. More than 80% of respondents employed in financial services organizations, for example, believe that losing or misplacing corporate data would have a negative impact on customer privacy; 78% of government employees believe that this would have a negative impact on their employer’s reputation; an even 80% of employees with IT firms think that loss of corporate data would negatively affect their professional reputations; and 60% of healthcare workers believe that data leakage would harm their employer’s ability to be compliant with applicable laws. In all, seven in 10 Canadians believe that data loss would have an impact on their company’s reputations and/or their own professional reputations.

Taking responsibility: attitudes towards security

This recognition of the potential impact of data loss, however, is not matched in any meaningful way with the security approaches reported by our survey respondents. In several critical areas, we see gaps between employee perceptions and requirements, and the needs and activities of employers.

One critical issue is training. In our survey, 46% of respondents reported that their employers have trained them on how to safeguard corporate information — but 44% stated that their employers should provide more support in securing data. In some industries (education, retail) less than 40% of employees have obtained training on security, while in others (IT, transportation) half or more of employees have been trained, but even larger groups are asking for additional support. Even in industries that have clearly prioritized security training and where the proportion of respondents who have been trained is much larger than the group asking for additional support (finance, government), the study has still shown substantial unmet need.

The source of support itself is still very much in question. Nearly two-thirds of respondents to the survey agree that "my employer is primarily responsible for securing corporate data," and a substantial proportion of respondents look to device manufacturers for help in safeguarding these assets. Less than 40% agree that "I am primarily responsible for security corporate data."

The iceberg?

We would not suggest that these findings represent the "tip of the iceberg" — the numbers contained in the findings are too large to be masking another 90% of unsurfaced issues pertaining to BYOD security — but there is cause to wonder whether the personal technology/corporate information security threat is still trending upwards.

In our survey, we asked respondents to identify their use of cloud-based applications and storage or computing. We found that the incidence of cloud-based applications and storage/computing systems set up by individuals without any involvement by their corporate IT departments is roughly equal to the scope of cloud applications and storage/computing that has been established by IT for employee use — each runs at 21%-23%. If we assume that use of cloud will continue to increase over time, and that individuals will continue to launch applications and storage that access or contain corporate data without oversight by corporate IT, we see another enormous source of potential exposure for Canadian businesses.

Netting it out

In several important aspects of business technology — notably, mobility and cloud — we are approaching a critical point of divergence. On the one hand, the options presented by technology trends enable businesses, and business management, to directly apply technology to business issues in ways that were previously unfeasible. On the other hand, this kind of activity replicated across an organization can lead to what we recently heard described as "a field of mushrooms" — disconnected systems sprouting up without regard for each other, or for centralized data governance, management and security. The increase in the purchasing and deployment power of non-IT management is real; so, too, is the challenge it poses not just to IT departments but to the cohesiveness, integration and manageability of corporate systems and information — and ultimately, of the organizations that rely on these resources.

To access a copy of the infographic containing highlights from the May survey of 1500 Canadians, please click here.

InsightaaS and Leger have committed to launching a major Canadian research project, "The Connected Business," that will examine business management perspectives on cloud and mobility, and on IT spending allocations and security associated with cloud and mobility. For more information, please contact InsightaaS at reportinfo@insightaas.com.