More than a third of federal workers within the next year will use mobile devices exclusively to complete their daily work and many acknowledge their organizations frequently sacrifice security for the productivity enhancements that mobility provides, according to a new survey from the Ponemon Institute.
According to the survey, “Security in the New Mobile Ecosystem,” commissioned by Raytheon, 60 percent of respondents said mobile devices in the workplace have diminished employees’ security practices. Likewise, 52 percent said security practices on mobile devices have been frequently sacrificed in order to improve employee productivity. The study surveyed 618 “IT and IT security practitioners,” including 75 from the federal government.
Although mobile adoption rates between industry and government differ, Larry Ponemon, chairman and founder of the institute, said “there’s tremendous similarity in the data,” especially with end users driving the growth because of increased productivity.
“Mobile has kind of evolved very quickly and its end users are very demanding and it creates real pressure points on organizations that are trying to develop proper security methods and tight controls around data and critical infrastructure,” Ponemon said. That is creating a delicate balancing act for the IT teams within agencies, an often stressful one for chief information officers.
“Anytime you’re looking at that [balance] between security and sacrificing productivity, if you try to do that as a CIO you will be killed,” he said. “It’s all about productivity ultimately. We have to figure out methods and strategies for ensuring that you can achieve a good level of productivity and still manage the security.”
Ponemon pointed to better funding for mobility programs within the federal government as a solution because both sides — users and security teams — get what they want.
“The lesson that’s learned is in order to get the mobile ecosystem right, you need to make investments in technologies and people and governance so you can reduce some of the risk without affecting productivity,” he said.
Ashok Sankar, vice president of cyber strategies for Raytheon, believes the security problem isn’t so much about device security as it is data security. New technologies like virtual mobile infrastructures, which works like other virtualization technologies, can separate vulnerable data from the threats introduced by mobile programs like BYOD.
“From a CIO perspective, they need to really start thinking about this in a different way,” Sankar said. “Since mobile devices came about, everyone’s been worried about security and all the technologies out there are very device-centric. It’s still about data security, it’s not about device security. Yes, if it’s a novel device, it helps to do a lot of things. But it still goes back to the point of data security.”
Despite the major security concerns inherent with mobile devices, the productivity is too important to ignore. Fifty-eight percent of government respondents said mobile devices have increased productivity, although 54 percent are conscious of the toll its taking on security practices.
“Security for a long time has been a one way conversation. IT or security as an enterprise dictated what an employee could have or what they could do. I think with the concept of BYOD and with the mobile paradigm, the conversation is shifting. I think it’s going to be a collaborative conversation.”
The popularity of mobile device use is a relatively new phenomenon, though, and there’s a possibility that users and the IT teams don’t know how much risk is connected to it or the best way to mitigate it. According to Rick Holgate, assistant director for science and technology and CIO at the Bureau of Alcohol, Tobacco, Firearms and Explosives, this might inflate some of the findings.
“[T]he survey is reflective of the current general state of mobility and mobile security, including the still-emerging nature of the technology and the general unease with the variability of technology across organizations,” Holgate said in an email. “I’d suggest those latter factors tend to inflate some aspects of risks, including both existence of current security risks and downstream costs of managing security.”