Secure access to data in a mobile world

Secure data
access in a
mobile universe
A report from the Economist Intelligence Unit

Sponsored by

Secure data access in a mobile universe

Contents

Preface 2

Executive summary 3

Introduction 5

1 Modern mobility: where are we now? 6

2 Loss, theft and bad habits: what are ﬁrms doing to meet the challenges? 8

3 Ever-more data on the go: the emerging trends 11

4 How can companies ensure effective mobile policies? 13

5 Conclusion 15

Appendix: survey results 16

1 © The Economist Intelligence Unit Limited 2012


Preface

An ever-growing use of consumer communication Interviewees
devices in the workplace and a need to maximise Lucy Burrow, director of IT governance,
the productivity of executives and workers on the King’s College London
move are requiring businesses to respond. Secure
Mike Cordy, global chief technology officer,
data access in a mobile universe explores how
OnX Enterprise Solutions
companies can accommodate rising demands for
mobile access to business information while Steve Ellis, executive vice-president, Wells Fargo
minimising the security risks to proprietary data. Jay Leek, chief information security officer,
As the basis for the research, the Economist Blackstone Group
Intelligence Unit in June 2012 conducted a global
Arturo Medina, information technology director,
survey of 578 senior executives. The survey
Ipsos Mexico
explores how organisations are—or should be—
responding to current and emerging challenges Bill Murphy, chief technology officer,
stemming from an unstoppable trend towards Blackstone Group
“bring your own device” (BYOD), as well as rising Al Raymond, vice-president, Aramark
worker mobility more generally. We also undertook Ashwani Tikoo, chief information officer, CSC India
a series of in-depth interviews. The findings and
views expressed in this report do not necessarily
reflect the views of the sponsor. The author was
Lynn Greiner. Michael Singer and Justine Thody
edited the report and Mike Kenny was responsible
for the layout. We would like to thank all of the
executives who participated in the survey and
interviews, including those who provided insight
but did not wish to be identified, for their valuable
time and guidance.



Executive
summary

In the late 1990s portable laptops and mobile opportunities and work more effectively with their
devices emerged that allowed executives to be partners and customers—the same reasons driving
productive while away from their offices. Devices companies to enable mobile data access on firm-
like the IBM ThinkPad and RIM BlackBerry ushered owned devices.
in an era of multifunction mobile equipment that In June 2012 the Economist Intelligence Unit
proved irresistible for the C-suite. Today, the conducted a global survey, sponsored by Cisco, of
world’s mobile worker population has expanded far 578 senior executives to explore their perspectives
beyond corner offices and is expected to reach on securing data on mobile devices. The principal
1.3bn people, or nearly 38% of the total workforce, research findings are as follows:
by 2015, according to IDC, a technology research
firm. By some estimates, as many as 76% of l Most executives are uneasy about their
companies currently support a “bring your own company’s mobile data-access policies.
device” (BYOD) policy, suddenly thrusting them Although 42% of respondents said the C-suite
into the position of securing access to data on needs secure and timely access to strategic
devices they might not own. Most of those firms say planning data to be most productive, only 28%
they allow employees to use personal devices to believe it is appropriate to make this data
make more effective decisions, avoid missed accessible to it on mobile devices. Nearly half of

Who took the survey?
The survey questioned 578 senior executives With respect to organisation size, 55% were from
worldwide. The respondents were based primarily companies with revenue of US$500m or more
in North America (29%), Western Europe (25%) annually, with 22% of those with revenue of
and the Asia-Pacific region (27%), with the rest US$10bn or more. Respondents represented a wide
from the Middle East and Africa, Latin America and variety of industries, in particular IT and technology
Eastern Europe. Of the total number of respondents, (13%), financial services (11%), professional
23% were from the US, 10% from India, 7% from services (11%) and energy and natural resources
Canada and 6% from the UK. In terms of seniority, (9%). Functionally, respondents identified their
27% were at the CEO level, 17% at the senior vice- primary roles as general management, business
president level and 15% at the manager level. development, finance and sales and marketing.



respondents (49%) say the complexity of surveyed are restricted from discussing their
securing multiple data sources and a lack of work on social media platforms. Close attention
knowledge about mobile-access security and risk to policies around social networking can enable
(48%) are top challenges for their companies. effective interaction while still protecting
corporate data assets and avoiding liability.
l Larger companies are most willing to allow
mobile access to critical data, but also impose l Available infrastructure is the key influence
stricter rules. More than 90% of companies with on company policies around mobile access.
revenue over US$1bn allow access to data via While 44% of respondents say pressure from
either personal or company-owned devices. executives is one of the most important
However, more than half of organisations with influences on policy, that number is dwarfed by
over US$5bn in revenue allow access only on the 60% who cite IT infrastructure requirements.
company devices, while a third also permit This indicates an opportunity exists for
access on personal devices. By contrast, only companies offering services to secure and
37% of companies with revenue under US$500m manage mobile access.
insist on company-owned devices, while 47%
permit access on personal devices as well. Is the mobile data access trend unstoppable?
Mobile users within larger firms, however, must The short answer is yes; more sophisticated devices
stay within the lines of approved devices that offer a better user experience only serve to
requiring multiple policy signoffs. accelerate the trend. This means policies are
mandatory, not optional. Getting employees
l Mobile policies must not neglect social involved in shaping those policies certainly
networking. While 56% of survey respondents increases the likelihood of compliance, according
have policies covering acceptable use of social to executives interviewed for this research.
networks via mobile devices, 33% of executives



Introduction

Adopting the right policies around mobile data cultural shift will grow. Expanding the scope of
access is becoming an increasing concern for many business data access presents obvious business
companies. Senior employees, as much as younger risks, as well as technological challenges. Portable
recruits, are demanding access to corporate data devices can be lost or stolen. People may share
anywhere, anytime, on mobile as well as fixed their devices with friends or relatives, increasing
devices. And many companies are realising that the risk of leakage of confidential data. Often
supporting mobile-device policies can pay these data are accessed from software applications
dividends in the form of increased engagement not sanctioned by the company. But it is
and productivity—including a greater willingness increasingly futile for IT departments to try to
to be responsive outside of working hours. BYOD- control the devices people bring to work, or to
friendly workplaces are also more likely to attract control how people use devices outside the office.
tech-savvy workers, which usually helps spur They must respond to the increased vulnerability
innovation. of corporate data networks by enforcing effective
As devices proliferate and lines between safeguards, both to protect business-critical data
consumer and corporate IT continue to blur, the and to comply with regulatory environments in
challenges companies face in adapting to this every region in which the company operates.



1 Modern mobility: where are we now?

Nearly one billion smart connected devices were to make quick, informed decisions, especially at
shipped worldwide in 2011, a number expected to critical times, such as business negotiations, notes
double by 2016, according to IDC, a technology Ashwani Tikoo, chief technology officer of CSC
research firm. These devices include PC-based India, an IT services provider. In the second-largest
products such as laptops and netbooks, mobile operations centre for CSC global, Mr Tikoo is
phones and tablets. The Economist Intelligence responsible for security policies that protect
Unit survey showed that many people use multiple business data on mobile devices. Instant
devices, most often a combination of laptop and availability of data allows sales people to make the
smartphone, although tablets are increasing in right decisions on the spot, rather than making the
penetration. Worldwide tablet shipments in the customer wait, he says. To prevent data loss, CSC’s
second quarter of 2012 grew by 33.6% over the security policies require data encryption on all
first quarter and 66.2% over the same quarter in mobile devices, including personal devices covered
2011, according to IDC’s estimates. We expect to under a BYOD policy.
see significant growth in the use of tablets after Preventing the data from being stored on a
the release of the next generation of software mobile device is another strategy. Al Raymond,
operating systems. Added collaboration and vice-president of privacy and records management
communication features on newer tablets will at Aramark, a US foodservice supplier, says
attract executives with a wider range of data- authorised users who need to access company
access options than smartphones. information remotely do so over a secure virtual
Supporting executives on the road with private network (VPN) from their laptops or mobile
information fed to their mobile devices allows them devices. No data other than email are stored on the

Q Executive mobile social policies
What policies does your organisation face around social network use on corporate devices?
(% respondents)

Executives may not discuss any facet of their work on social networks, but are permitted personal use
33
Only authorised spokespersons are permitted to access social networks on corporate devices
26
Executives have unrestricted access to social networks
19
Executives may not access social networks on corporate devices
18
Other
5
Source: Economist Intelligence Unit survey, June 2012.



CASE STUDY Ipsos, a hybrid approach

In regions like Latin America in which face-to- In the hybrid model under development,
face contact is preferable for market research, interviewers are offered a choice of one of three
smartphones and tablets are replacing pencil and smartphone models that Ipsos knows can run its
paper as the survey tools of choice. Ipsos, a global interviewing software. Employees pay for their own
market research firm, embraced this shift toward device through incremental payroll deductions.
using mobile devices in its operations in Mexico Under normal circumstances, Mr Medina says
and elsewhere. The company currently operates in workers will own the device outright in 2-3 weeks.
84 countries and has 16,000 full-time employees. Ipsos provides a VPN connection to its
Its research spans multiple methodologies from company data, while the employee pays for all
online to in-person, resulting in more than 70 other smartphone functions. Ipsos manages
million interviews per year worldwide. the devices so it can remotely expunge business
Ipsos currently provides company-owned information if necessary. The data accessed on
handhelds to its interviewers, but it is working on the smartphone are encrypted, preventing some
a new approach, says Arturo Medina, IT director losses. Interviewers must also adhere to corporate
at Ipsos Mexico. “Since the cost of custom mobile usage policies. The interviewers have the flexibility
devices are quite expensive, we are adopting a to use one device everywhere, notes Mr Medina, yet
hybrid model of ‘bring your own device’ policies,” the company has sufficient control to protect its
he says. data assets.

device itself, making it relatively easy to protect executives, financial information (60%) and
corporate data assets should the employee leave, strategic planning (42%) were significant
or lose the device. productivity drivers. Managers look for operational
Similar challenges exist around social data (44%) and sales-and-marketing data (43%),
networking on mobile devices outside of the office, while lower-ranked staffers most need access to
although company policies often restrict executive customer (42%) and operational data (42%).
participation. Thirty-three percent of executives Making effective decisions (52%) and avoiding
responding to the EIU survey said that they were missed opportunities (42%) are the top reasons
not allowed to discuss any facet of their work on that senior executives seek mobile access to critical
social networks, and another quarter said that only business data, according to our survey. Liaison
authorised spokespersons were permitted to even with third parties—such as suppliers—comes
access social networks on corporate devices. particularly high on the list for smaller companies;
Executive use of social networking will continue to 42% of respondents at firms with revenue under
be restricted, either by policy or unwritten US$500m put this in their top three, compared
agreement, to protect corporate information and with 37% of all firms. This need to stay connected
limit liability, our research found. helped transform email into a must-have
Of course, different job seniorities require application on mobile devices and remains the
access to different types of data and our survey primary tool used by executives in our study to
yielded few surprises here. Among C-level access business data remotely (81%).



2 Loss, theft and bad habits: what are
firms doing to meet the challenges?

Implementing systems to secure company data respondents from companies with annual revenue
accessed across an array of different platforms of US$500m or less described their company’s
costs money. So it is not surprising that only survey mobile data security policies as inadequate or
respondents from the largest companies feel completely inadequate. As with larger
confident about their firms’ data-security organisations, smaller companies with enforced,
arrangements. While 45% of respondents from written policies can go a long way towards
firms with annual revenue of US$10bn or more say securing corporate data at relatively low cost.
that their firm has state-of-the-art data security Devices sold in the last few years have built-in
measures in place, this falls to just 10% for encryption that need only be activated. However,
respondents from smaller companies (US$500m). additional management tools are often needed to
Moreover, even among firms with revenues automate security processes, forcing smaller firms
between US$500m and US$5bn, as many as a third to balance purchasing protective technologies
describe their companies policies as inadequate or with lower-cost approaches like holding
completely inadequate. employees to security policies.
Overall, our executive respondents accept the As the power of even the smallest mobile
need for investment, with 69% rating security devices continues to increase, so does the risk of
service investment a priority. But our research losing data for the most low-tech of reasons.
indicates that more needs to be done to educate Kensington, a US computer peripheral
executives about security risks. Some companies manufacturer, says more than 70m smartphones
that believe they have strong security nevertheless are lost annually, with only 7% recovered. Laptops
allow risky practices. For example, among those are not immune either, with Kensington’s research
executives who said their firms have industry- showing that 10% will be lost or stolen over the
leading security practices (20%), 13% said there life of the PC. Three-quarters of the losses occur
are no restrictions on their social-networking during transit or while the employee is working at
activities. This practice, of course, carries risk of a remote location. A large percentage of those lost
accidental exposure of confidential company machines contain some type of business data.
information. Our research found that setting The average cost of a corporate data breach
social-networking policies can both enable incident reached US$7.2m in 2010, according to
effective interaction and help protect corporate the Ponemon Institute, a consultancy. That is more
data assets and avoid liability. than double the average cost in 2005. Mr Raymond
With fewer resources than their larger of Aramark thinks that these figures ring true, given
counterparts, smaller companies face stiffer the number and types of breaches, adding that
challenges in securing mobile data. Nearly 40% of there are hundreds of small incidents each year and



Getting a grip on BYOD
Since the “bring your own device” model is comparatively on corporate servers that can be accessed securely and do the
new, there are few tried-and-tested industry standards for heavy computing, and not on the device itself. Methods of
BYOD policies. Typically, if an employee leaves the company, doing this, which include using virtual desktop technology and
voluntarily or otherwise, company data must be quickly removed, accessing data through web-based services like Salesforce.com,
preferably without interfering with the employee’s personal are becoming more widespread because mobile access to secure
information. Acceptable use policies for BYOD usually include a networks enables company-controlled encryption, authentication
clause permitting this. Companies can also protect themselves and management.
legally by modifying their existing mobile policies, recommends Arturo Medina at Ipsos, which imposes similar network-based
a June 2012 National Law Review brief. Policies that centre on controls, recommends a constant dialogue with employees
harassment, discrimination and equal-employment opportunities to ensure compliance and prevent unauthorised downloads
policies, confidentiality and trade-secret-protection policies, of corporate data. “Make clear the boundaries of sensitive
and compliance and ethics policies may all be updated to protect information and user information, as well as what gets backed up
companies against worker abuse of mobile policies. as corporate info and what is considered personal information,”
As a safeguard against risky executive practices, many Mr Medina advises.
companies install software on the employee’s device to lock
down its software, encrypt data and perform other administrative
functions, such as updating calendars or applying security Q BYOD policies
How has your organisation implemented BYOD for access
updates. Intrusive though this may sound for the employee, to critical data? Select all that apply.
(% respondents)
most mobile-device policies require some type of remote
Specifying approved devices
administrative access controls. Some companies that have BYOD 25
policies expect executives and employees to make sure they Requiring sign off on acceptable use policy
32
have necessary software on their devices, at their own expense. Monitoring applications on devices
Others reimburse all or part of the cost of programmes required 14
Requiring defined security software on personal devices
specifically for business. Proper configuration and good usage 31
practices must be monitored and enforced centrally, Aramark’s Requiring a secure virtual environment on personal devices
25
Mr Raymond says, adding that regularly reinforced security Requiring IT management on personal devices
awareness training also keeps secure data access fresh in (eg, to remotely wipe a lost or stolen device)
21
employees’ minds. Restricting mobile data access to specific apps
Mr Raymond says his company takes an alternative approach 18
No restrictions, executives have free access to whatever data is available
to device-centric mobile-security administration. Workers use 20
the mobile device purely as a viewer, leaving company data Source: Economist Intelligence Unit survey, June 2012.

a few major ones that may reach US$25m–500m. Australia (36%) experienced more breaches caused
Of particular concern to companies looking to by malicious attacks than those caused by
prevent data breaches caused by employees, many negligence. India was the only country in which
mobile data losses are a direct result of user system glitches surpassed negligence and malice as
carelessness. Ponemon’s 2011 Cost of Data Breach causes of breaches.
Study found that anywhere from 30% to 40% of Some notable mobile data losses illustrate how
breaches were caused by negligence, followed by easily a breach can occur. The Cancer Care Group,
those due to malicious attacks (43%). The study an Indianapolis cancer clinic, lost the personal
found 50% of breaches from Italian companies data of more than 55,000 patients as well as those
were generated by the loss or theft of a mobile of its employees in July 2012 when an employee’s
device. Only Germany (42%), France (43%) and laptop containing server backup files was stolen



from a locked vehicle. The data were not encrypted, adding password protection to mobile devices, be
contrary to best practices. The MD Anderson Cancer they laptops, smartphones or portable data storage
Center, a Texas medical clinic, suffered two devices, and by full encryption of the disk or USB key.
breaches between June and July 2012. While one These devices should also be secured physically.
incident was caused by an unencrypted portable For instance, they should not be left in unattended
USB key lost on a bus, another took place when a vehicles, even locked ones. Mobile phones and
laptop, also unencrypted, was stolen from a faculty some PCs (those equipped with Intel’s VPro
member’s home. Information on over 30,000 technology) can be remotely disabled and wiped
patients was compromised in the two breaches. clean of data if they go missing; the more sensitive
After the second breach, the facility began a the data they hold, the more critical it is that such
project to encrypt all of its data. a mechanism is put in place, since encryption can
Companies can prevent many data breaches by be broken.



3 Ever-more data on the go:
the emerging trends

Almost 90% of organisations worldwide allow devices. Steve Ellis, executive vice-president of
mobile access to critical data, according to the Wells Fargo, notes that his company is
International Telecommunication Union (ITU), a approaching BYOD with caution and is currently
UN agency. Of those organisations identified in the evaluating options. A formal plan may be another
EIU survey that do not have formal BYOD policies, year away, Ellis says. Other companies with no
25% say they plan to implement a programme in formal BYOD policy report seeing personal devices
the next 12-18 months. They note that this type of slip in under the radar. Before the introduction of
programme makes for more motivated employees, Aramark’s formal mobile policy ten months ago,
an observation upheld by independent research. people had no defined rules telling them what
According to research conducted in August 2012 by devices and operating systems were eligible to be
iPass, a US mobile software company, many connected to the company network. With the new
employees work up to 20 additional unpaid hours policy, entailing role-based access and approved
per week when they’re always connected. Almost devices and configurations, the company knows
90% of iPass respondents said that wireless precisely who has access and to which data. “It is
connectivity is as important a component of their no longer a wink and a nod,” Mr Raymond says.
lives as running water and electricity. The higher the visibility of your program, the more
Though more employees are working outside of likely it will be adhered to.
the office, establishing a mobile-access Policies aside, the nature of devices has
programme including BYOD is not an option for changed as well. Currently, just over a quarter
some firms. Highly regulated banking and finance (27%) of critical data access is occurring by means
companies have strict policies that prohibit letting of smartphones, according to our survey.
executives access company data from their own Respondents expect this to rise to over a third

Q Executive access devices
What devices does your organisation provide to its executives to access critical data?
Select all that apply.
(% respondents)

Smart phone
85
Tablet
41
Laptop
85




CASE STUDY US EEOC launches mobility pilot

The US Equal Employment Opportunity Commission to configure agency email access for employees
(EEOC) FY 2012 budget was slashed by nearly 15%, participating in the secondary testing. The agency’s
from US$17.6m to US$15m. Needing to reduce remaining 468 employees using EEOC-issued
operating costs, Chief Information Officer Kimberly BlackBerry devices were offered three choices:
Hancher reduced the agency’s mobile device
budget by half. To help fill the gap, the agency 1. Voluntarily return the BlackBerry and bring
launched a mobile BYOD pilot project. The project a personal Android, Apple or BlackBerry
focused on providing employees with access to smartphone or tablet to work.
agency email, calendars, contacts and tasks. A
2. Return the BlackBerry and get a government-
few senior executives were provided “privileged”
issued cell phone with voice features only.
access to the agency’s internal systems as part of
the project. 3. Keep the BlackBerry with the understanding that
In the initial testing phase, 40 volunteers turned the EEOC does not have replacement devices.
in their government-issued BlackBerry devices
and instead used their personal smartphones. EEOC managers report positive results from the
Information security staff, legal staff and the pilot so far. Employees pay for their own voice and
employees’ union generated rules that balanced data usage and the agency covers the licenses for
employee privacy (social media policies, the management software. The EEOC’s Mr Hancher
monitoring policies) with government security, noted that, for some employees, the cost may be
such as the US National Institute of Standards an issue and there is an outstanding question of
and Technology (NIST) regulation SP 800-53 (also whether the agency will be able to provide some
known as “Recommended Security Controls for sort of reimbursement for part of the data and
Federal Information Systems and Organisations”). voice services. Mr Hancher notes that success was
The second phase of the programme launched in achieved by involving employees, the union and
June 2012. The EEOC worked with its contractors legal departments early in the process.

(35%) in the next 12-18 months, with another 30% easier interaction with apps.
of critical data accessed by means of other mobile Interestingly, although 42% of respondents said
devices, up from a fifth currently. With the advent the C-suite needs secure and timely access to
of newer software and the associated devices, strategic planning data to be most productive, only
tablets are poised to become a more widely used 28% believe it is appropriate to make this data
mobile window to corporate data for executives, accessible to it on mobile devices. The main
perhaps even supplanting smartphones one day, challenge, unsurprisingly, is concern about
according to an article in The Economist (October potential security and other risks. Nevertheless, only
2011). Their larger screen size expands the range 11% of respondents to our survey say their
of data that can be effectively viewed, and, organisation does not provide access to critical data
supplemented by external keyboards, they enable outside the office.



4 How can companies ensure
effective mobile policies?

Survey respondents clearly recognise the workers to recoup data on a lost or damaged
advantages of enabling mobile data access and are device with little effort. These measures will allow
aware of the necessary investments. Some of the more executives in the future to access corporate
measures that companies need to adopt to secure data securely from any computer, according to our
corporate data accessed by mobile devices can be executive interviewees.
put in place remotely. IT managers can currently For the travelling C-level executive, less time
add security features to laptops, smartphones and spent updating security protocols means more time
tablets, often using existing management tools. for getting work done. In the future data security
They can also separate company data from will be strengthened with the help of technologies
personal data as well as duplicate and store built directly into applications that protect the
business data on corporate networks. Virtual data itself, making interception and misuse more
desktops provide secure mobile access to data on difﬁcult, CSC’s Mr Tikoo said. “Applications should
personal laptops. These safeguards allow mobile be able to recognize that I am working on an iPad

Q Mobile empowerment
In what ways is your company empowering access to critical data today and how might that change in the future?
Select one answer in each column for each row.
(% respondents) Today In the future

Providing access to multiple types of data 60
47
Providing secure mobile environments to 45
allow access to critical data 43
Enhancing secure access to data 41
(eg, mobile device generated security tokens) 45
Training executives to use 36
mobile data more effectively 42
Enabling customised mobile views of data 24
58
Providing mobile apps to access 20
critical data on multiple platforms 52
Providing secure cloud-based 20
environments for mobile use 57
Designing intuitive mobile user interfaces 15
48
Incorporating new communication/data 14
access methods (eg, QR codes, NFC) 47




or a little 5-inch screen and render the data to me acceptable use policy that covers everything from
appropriately.” the type of data they may access from a mobile
Mr Raymond says that although his business device to rules concerning password strength.
doesn’t require it, separate environments for Other security safeguards require reliable action
business and personal use are important. But if the on the part of users. While mobile devices should
policies surrounding them, or any other security have passwords, Coalﬁre, an audit and compliance
measures, are not enforced, there will be ﬁrm, estimates only half of personal devices
consequences. He says he is always surprised when currently do. Employees in a BYOD programme
speaking with his peers at how much of security in must agree that if their personal devices are lost or
large organisations is just “smoke and mirrors”. stolen, the IT department’s responsibility includes
The words are there, the enforcement is not. remotely wiping out information on personal
Ipsos, a global research company, requires every devices to protect company data.
employee to complete a security-awareness There is clearly some way to go in most
training course delivered over its corporate organisations to educate staff on the security
intranet—a cost-effective way to reach its staffers issues raised by mobile access of company data.
in 84 countries. While its programme was internally The survey indicated that executives outside
developed, commercially available security- Europe and North America are more likely to resist
awareness products that can be customised for data-security policies on personal devices. Yet, in
local needs are readily available from organisations an increasingly interconnected business world,
such as the US National Security Institute (NSI). security gaps in one region can affect compliant
Employees are also required to sign a mobile companies (and their customers) elsewhere.



5 Conclusion

Not only will mobile data access expand, the trend integral to global business. The type of device in
is unstoppable. Unmanaged and unsecured devices use is evolving, with tablets being the up-and-
have already crept into the business environment, coming device of choice. We can expect to see
putting company data at risk and opening the door significant growth in the use of tablets after the
to attacks through compromised devices. Almost release of the next generation of software
one-third of respondents in our survey report operating systems, which will give tablets a wider
inadequate mobile device policies at their range of data-access options than smartphones.
companies. Establishing sensible, workable policies This will be a mixed blessing, analysts believe, as
is a first step to achieving a viable mobile data tablets will be supplemental devices to existing
access programme. systems, not replacements.
Executives classifying their device policies as Securing critical data in the future may mean
industry-leading indicate they use data on-the-go creating even more stringent access requirements.
to make more effective and collaborative decisions, The shift towards tablets for business outside the
avoid missed opportunities and work more office, for example, will open up a whole new set of
effectively with partners and customers. To ensure challenges because it will encourage executives to
that this access won’t compromise business data, seek mobile access to a wider range of data. It will
executives may want to prioritise programmes that require many companies to take a fresh look at the
mitigate risk and support investments in data and whole issue, from devices and their weaknesses
security services. through available infrastructure to the users
Connected devices are becoming increasingly themselves.



Appendix:
survey
results

Percentages may not add to 100% owing to rounding or the ability of respondents to choose
multiple responses.

Based on your observations, how does your organisation’s mobile device policy compare to those of its competitors
within your industry?
(% respondents)

Industry leading (my organisation has a written, formal, enforced policy for the management and use of mobile devices)
20
Adequate (my organisation has informal guidelines that are monitored and enforcement action taken when necessary)
47
Inadequate (my organisation has informal or formal guidelines that are neither monitored not enforced)
19
Completely inadequate (my organisation has no formal or informal policy for the use and management of mobile devices)
11
Don’t know
3

What leading business factors are driving the need for access to critical data from mobile devices?
Select up to three.
(% respondents)

Making more effective decisions
52
Avoiding missed opportunities
42
Working more effectively with third parties (suppliers, partners, customers, etc)
37
Empowering executives
37
Keeping up with competitive pressures
31
Maximising more business functions
27
Satisfying internal demand
21
Controlling costs
16
Other
3
We have no need for mobile data access
1



Does your organisation allow access to critical data outside the office?
(% respondents)

Yes, on company-owned devices only
43
Yes, on either company or personally-owned devices
46
No
11
I don’t know
1

What devices does your organisation provide to its executives to access critical data?
(% respondents)

Smartphone
85
Tablet
41
Laptop
85
Pager
2
Other
1
We do not provide company-owned devices to executives
3

Does your organisation allow executives to bring their own devices (BYOD) and use them instead of company-owned
devices to access critical data?
(% respondents)

Yes
49
No
49
I don't know
3

How has your organisation implemented BYOD for access to critical data?
(% respondents)

Specifying approved devices
25
Requiring sign off on acceptable use policy
32
Monitoring applications on devices
14
Requiring defined security software on personal devices
31
Requiring a secure virtual environment on personal devices
25
Requiring IT management on personal devices (eg, to remotely wipe a lost or stolen device)
21
Restricting mobile data access to specific apps
18
No restrictions, executives have free access to whatever data is available
20



Does your organisation plan to implement BYOD for access to critical data?
(% respondents)

Yes
20
No
55
I don't know
25

What do you perceive is the biggest obstacle to implementing BYOD for access to critical data?
(% respondents)

Corporate security or risk concerns
50
Corporate IT concerns over difficulty managing personal devices
14
Corporate IT resistance to supporting executives’ personal devices
14
Executive resistance to policy restrictions on personal devices
9
Cost of required device management infrastructure
6
Other
4
Allocation or management of charges on executive devices
4

In your opinion, what are the greatest challenges your company faces in securing access to critical data over mobile
devices, whether owned by the firm or the executive?
Select up to four.
(% respondents)

Multiple data sources, each requiring distinct security measures
49
Lack of knowledge about security/risk of mobile access
48
Lack of resources to manage/secure data access
34
Classifying data to determine risk profile for each source
34
Lack of apps for all required platforms (eg, there may be an iPhone app, but not one for Android)
25
Data unsuitable for remote access
23
Executive resistance to security measures
22
Lack of resources to develop needed apps/access methods
21
Legacy systems are prohibitive
16
Lack of mobile access for some locations
12
Other
1
We do not face this challenge
5



Besides your job title, what determines which data are/will be made available to mobile devices?
Select up to three.
(% respondents)

Availability of data
40
Departmental or organisational standards
32
Availability of mobile data access apps
31
Type of access method (on site vs remote)
30
Speed at which up-to-date information is required
29
Cost
23
Screen size of the device accessing the data
21
Regulatory compliance
20
User preferences
19
Other
3

What determines which users are/will be permitted to access critical data on mobile devices?
Select up to three.
(% respondents)

Departmental or organisational standards
54
Availability of data
28
Type of access method (on site vs remote)
25
Cost
24
Regulatory compliance
23
Availability of mobile data access apps
21
Speed at which up-to-date information is required
20
User preferences
19
Screen size of the device accessing the data
9
Other
3



What are the most important influences on company policies and approaches towards creating a mobile device and
application strategy?
Select up to three.
(% respondents)

IT infrastructure requirements to accommodate mobile access
60
Pressure from executives needing anywhere/anytime access to data
44
Legal/regulatory requirements around data management
40
Pressure from security/risk management
39
Competitive pressure, wanting to be perceived as up-to-date by customers and competitors
31
Pressure from senior management who wish to use personal devices
23
Cost
19
Other
1

Which of the information listed need to be delivered in a secure and timely fashion for the following roles to be most productive?
—C-level executives
Select up to three for each role.
(% respondents)

E-mail
74
Financial information
60
Strategic planning
42
Competitive intelligence
35
Operational data
24
Sales and marketing
18
Customer information
10
Human resources
8
News or social network feeds
6
Other
1



—Business managers
(% respondents)

E-mail
75
Operational data
44
Sales and marketing
43
30
26
23
Human resources
15
Strategic planning
13
8
Other
1

—Employees
(% respondents)

E-mail
80
Operational data
42
42
23
Sales and marketing
20
Human resources
17
7
7
Strategic planning
4
Other
1



Which of these types of information/media are appropriate to be made accessible on mobile devices?
(% respondents)

E-mail
81
45
Strategic planning
28
28
Operational data
22
Sales and marketing
19
15
11
Human resources
8
Other
1

(% respondents)

E-mail
81
Operational data
38
Sales and marketing
37
25
19
19
17
Human resources
14
Strategic planning
9
Other
1



—Employees
(% respondents)

E-mail
82
Operational data
35
33
33
Sales and marketing
18
Human resources
12
5
5
Strategic planning
3
Other
1

Which of these types of information/media are appropriate to be made accessible on mobile devices from cloud-based storage?
(% respondents)

E-mail
60
27
25
23
Operational data
21
Strategic planning
21
Sales and marketing
19
14
Human resources
7
Other
2



(% respondents)

E-mail
59
Sales and marketing
33
Operational data
29
26
22
16
14
Human resources
12
Strategic planning
6
Other
2

—Employees
(% respondents)

E-mail
62
34
Operational data
28
25
Sales and marketing
17
Human resources
10
7
5
Strategic planning
3
Other
2

Does your organisation provide mobile access to data for each of the following groups?
(% respondents)
Yes No Don’t know
All international locations
54 34 12
All locations in your region
67 27 6
All departments
56 37 7
All roles
35 58 7



Does your organisation have policies in place for acceptable use of social networks (eg, Facebook, Twitter) on corporate devices?
(% respondents)

Yes
56
No
39
I don’t know
5

What policies does your organisation face around social network use on corporate devices?
(% respondents)

Executives may not discuss any facet of their work on social networks, but are permitted personal use
33
Only authorised spokespersons are permitted to access social networks on corporate devices
26
Executives have unrestricted access to social networks
19
Executives may not access social networks on corporate devices
18
Other
5

What is the ratio of time you spend on company-owned vs personal-owned mobile devices for your organisation?
Drag the slider button to choose a relevant percentage split that reflects how each option should be weighted (eg, 60% to 40%).
(% respondents)
100:0 90:10 80:20 70:30 60:40 50:50 40:60 30:70 20:80 10:90 0:100
Company owned
12 23 17 13 6 9 3 3 2 3 9

What kind of priority does your organisation accord to the following strategies?
Rate on a scale of 1 to 5, where 1=High priority and 5=Not a priority.
(% respondents)
1 High priority 2 3 4 5 Not a priority
Investing in data services
27 35 25 9 4
Investing in mobile services
16 29 31 15 9
Investing in security services
37 32 19 9 3

© The Economist Intelligence Unit Limited 2012 25


—Today
(% respondents)

Providing access to multiple types of data
60
Providing secure mobile environments to allow access to critical data
45
Enhancing secure access to data (eg, mobile device generated security tokens)
41
Training executives to use mobile data more effectively
36
Enabling customised mobile views of data
24
Providing mobile apps to access critical data on multiple platforms
20
Providing secure cloud-based environments for mobile use
20
Designing intuitive mobile user interfaces
15
Incorporating new communication/data access methods (eg, QR codes, NFC)
14

—In the Future
(% respondents)

Enabling customised mobile views of data
58
Providing secure cloud-based environments for mobile use
57
Providing mobile apps to access critical data on multiple platforms
52
Designing intuitive mobile user interfaces
48
Providing access to multiple types of data
47
Enhancing secure access to data (eg, mobile device generated security tokens)
45
Providing secure mobile environments to allow access to critical data
43
Training executives to use mobile data more effectively
42
Incorporating new communication/data access methods (eg, QR codes, NFC)
47

What is the proportion of critical data you access over What will be the proportion of critical data you access
mobile channels today? over mobile channels in 12-18 months?
Total should be 100% Total should be 100%

Average Average
Mobile via smart phone 26.9 Mobile via smart phone 34.5
Mobile on other devices (eg, tablet) 21.7 Mobile on other devices (eg, tablet) 30.2
Non-mobile access 59.8 Non-mobile access 42.8



In the next 12–18 months, what does your organisation expect to do with access to critical data that it is not currently able to do?
(% respondents)

Provide wider data support for mobile devices
47
Identify risks that are not currently apparent
46
Further improve business process efficiencies
45
Provide access to data from more data sources
44
Identify opportunities that are not currently apparent
40
Improve customer service
34
Speed up process improvements
33
Provide access based on user’s role and/or device type
32
Increase consumer engagement
27
Drive new revenue streams
23
Innovate on more diverse and timely feedback
17
Other
1

In which region are you personally located? In which country are you personally located?
(% respondents) (% respondents)

Asia-Pacific United States of America
27 23
Latin America India
9 10
North America Canada
29 7
Eastern Europe United Kingdom
3 6
Western Europe Germany
25 4
Middle East and Africa Singapore, Australia, Brazil, Mexico
6 3
Italy, Hong Kong, Switzerland, China, Nigeria, Spain
2
France, Belgium, Netherlands, South Africa, Finland, Japan, Malaysia,
What are your organisation’s global annual revenues New Zealand, Portugal, United Arab Emirates, Chile, Sweden, Russia,
in US dollars? Bahrain, Bulgaria, Colombia, Czech Republic, Hungary, Israel, Pakistan,
(% respondents) Philippines, Poland, Taiwan, Thailand
1

$500m or less 45

$500m to $1bn 9

$1bn to $5bn 17

$5bn to $10bn 7

$10bn or more 22



What is your primary industry? Which of the following best describes your title?
(% respondents) (% respondents)

IT and technology Board member
13 5
Financial services CEO/President/Managing director
11 27
Professional services CFO/Treasurer/Comptroller
11 8
Energy and natural resources CIO/CTO/Technology director
9 5
Healthcare, pharmaceuticals and biotechnology Other C-level executive
8 8
Manufacturing SVP/VP/Director
8 17
Consumer goods Head of Business Unit
6 3
Government/Public sector Head of Department
5 8
Telecoms Manager
4 15
Chemicals Other
3 3
Entertaining, media and publishing
3
Transportation, travel and tourism
3 What is your main functional role?
Retailing (% respondents)
3
Education General management
3 30
Logistics and distribution Strategy and business development
3 17
Construction and real estate Finance
2 15
Agriculture and agribusiness Marketing and sales
2 10
Aerospace and defence IT
2 7
Automotive Operations and production
1 5
Information and research
3
R&D
3
Risk/Security
2
Procurement
2
Customer service
2
Human resources
2
Supply-chain management
2
Legal
1



Whilst every effort has been taken to verify the accuracy of this
information, neither The Economist Intelligence Unit Ltd. nor the
sponsor of this report can accept any responsibility or liability
for reliance by any person on this white paper or any of the
information, opinions or conclusions set out in the white paper.
Cover: Shutterstock

© The Economist Intelligence Unit Limited 2012 29

London New York Hong Kong Geneva
26 Red Lion Square 750 Third Avenue 6001, Central Plaza Boulevard des
London 5th Floor 18 Harbour Road Tranchées 16
WC1R 4HQ New York, NY 10017 Wanchai 1206 Geneva
United Kingdom United States Hong Kong Switzerland
Tel: (44.20) 7576 8000 Tel: (1.212) 554 0600 Tel: (852) 2585 3888 Tel: (41) 22 566 2470
Fax: (44.20) 7576 8476 Fax: (1.212) 586 0248 Fax: (852) 2802 7638 Fax: (41) 22 346 93 47
E-mail: london@eiu.com E-mail: newyork@eiu.com E-mail: hongkong@eiu.com E-mail: geneva@eiu.com

Secure access to data in a mobile world

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Secure access to data in a mobile world

Similar to Secure access to data in a mobile world (20)

More from Datafield

More from Datafield (9)

Recently uploaded

Recently uploaded (20)

Secure access to data in a mobile world