Carl Weinschenk spoke to Dan Hoffman, chief mobile security evangelist, Juniper Networks. Earlier this month, Juniper introduced the Trusted Mobility Index.
The problem is not that employees don't trust IT departments, said Dan Hoffman, the chief mobile security evangelist for Juniper Networks, it is that they are bypassing them in the process of using their mobile devices. Hoffman told IT Business Edge blogger Carl Weinschenk that this is a growing issue as the amount of mobile malware increases and bring your own device (BYOD) makes the use of inadequately secured devices far more common.
Weinschenk: What did the study cover?
Hoffman: There have been many studies in regards to mobility including some by Juniper. There have not been many around the idea of trust in mobile situations. The issue of trust is important and has never really been asked. We had over 4,000 respondents around the world, from the UK, U.S., China, Germany and Japan. It was a nice mix of consumers, prosumers and IT decision makers. We asked a mix of questions about usage patterns and outright trust, including "What would you do if a security issue happened?"
Hoffman: We found very surprising things. There are a lot of discrepancies between what IT departments think is happening and what is actually happening. In the vast majority of cases, the trust is not there. About 85 percent of respondents have very little confidence or have not made up their minds on mobility in general - even though they already are using it for sensitive activities.
We found the average mobile user has three Internet-connected devices. That is not surprising. But what is surprising is that 18 percent - almost one in five - have five or more devices. Nine in 10 mobile business usages deal with accessing critical work information.
Seventy-six percent of respondents said that they are using devices to track sensitive data such as online banking and personal medical data. We found nine out of 10 use devices for sensitive work-related activities. Forty-one percent were using devices without the support or knowledge of IT departments. That is an extraordinary statistic. Building off that statistic is that 41 percent do so without the knowledge or support of IT. We asked IT decision makers how many experienced threats from mobility. One-third said yes. In China, the number was two-thirds.
Weinschenk: What does the overall environment look like into which these numbers fit?
Hoffman: Our overall malware sample has grown 30 percent in the first three months of 2012. That is very fast and very consistent with the end of last year. Of the most concern is spyware taking sensitive data and sending it to someone else. In the first two or three months of 2012 the total amount of spyware doubled. It took eight or nine years to get to the level of spyware we had. It took only two or three months to double it.
Weinschenk: Do employees go to IT departments for security help?
Hoffman: We asked. Sixty-three percent said they look to the service provider for that.
Weinschenk: What threads run through this?
Hoffman: There a couple of threads: One is that there is a substantial disconnect in what IT is seeing and what end users are actually doing. BYOD is driving that, absolutely. The danger is that people are not protected and do not have security in the forefront. There needs to be a balance between not being too intrusive and having the level of protection the IT department needs. People's own personal data needs to be protected as well. That is not being addressed by IT departments or the industry as long as there is no trust on what the IT department is doing.
It tells me it is a big problem. It is not saying users do not trust IT departments. It is saying IT departments are not really involved. Some IT departments have small 50- to 100-device pilots, but you would be very hard pressed to find enterprises that say, "Mobility is in place, policies are in place and we're good to go." We are not seeing that. At the same time we are seeing mobility in general exploding.
Weinschenk: Do companies get it?
Hoffman: In the enterprise space, people realize that something needs to be done. You have to be cautious moving forward and look to service providers to protect mobile solutions. We are seeing a shift in that regard. We will see security come to the forefront of their marketing and product offerings.
Hoffman: For a couple of reasons. First, it's a great revenue opportunity. The second is the need for competitive differentiation. We found if a security event took place, people would take action. They would modify their relationships. We interpret that as meaning that they would shift providers. If they experience a problem they would shift providers and devices and go to a competitor that actually is offering security solutions and marketing security. Service providers have a formula that says that if a security event happens they will lose this many customers and this much revenue. It's becoming standard. We are seeing globally the need for providers to provide baseline of security.
I think the biggest thing I gather is that the level of trust needs to be addressed by a consortium of service providers, device manufacturers and others. That is starting to happen in some respects. Juniper for instance is working with AT&T and Samsung in offering secure mobile solutions.
Weinschenk: Can the issues be addressed, or is the mobile enterprise world in deep trouble?
Hoffman: That really depends on actions of IT departments and service providers over the next four to six quarters. If they don't address this, it really runs the risk of having dire consequences. The threats are exploding right now, the usage is exploding. If we wait too long it will be too late.
The reason is what is realistically possible to put in place in that time frame. We are seeing threats grow radically every three months. That is not really too long a window of opportunity to fix the problems.
Weinschenk: Where is the industry right now?
Hoffman: As an industry we are in the dark about how many devices there are and how many are infected. We're in a black hole right now, and it is not a good place to be. We can pretend there are not a lot of infected devices or say there are a lot of devices that are infected. I would err on the side of caution. The overall statement is that the growth in mobility is a great thing and there are a lot of advantages to it [but] the level of protection and trust to keep it moving forward has to be addressed.