responsible for data backup and recovery from non-PC endpoints. ... For instance, consider the popularity of cloud-based
CHANGING FACE OF MOBILITY RAISES THE STAKES FOR ENDPOINT DATA PROTECTION CONTENTS: •
Enterprise Mobility Strategy and BYOD Policies
•
Endpoint Vulnerabilities and Challenges
• Conclusion
For several decades, computing has become increasingly mobile. As notebooks became both more powerful and more affordable, organizations increasingly outfitted their workforces with portable computers. Not only was the technology advancing rapidly, but mobility-based work processes also demanded the ability to work anywhere, at any time. But as first-generation mobile computing gave way to the bring-your-own-device (BYOD) phenomenon, new challenges emerged. Those challenges are highlighted in a research survey conducted with the TechTarget network of IT professionals in January 2015: While the survey results certainly support the growing trend toward mobility in general and BYOD in particular, it also highlights some potentially troubling byproducts of that movement. These include: •
While most companies have some form of policy in place in support of employees using personal mobile devices, those policies can vary widely from organization to organization.
•
As a result, only a slim majority of organizations have a formal strategy for mobility solutions, even though most respondents say mobility is one of their key IT initiatives for 2015.
•
Even as consumer devices such as tablets and smartphones increasingly are used for business applications, IT professionals feel twice as vulnerable to endpoint security threats with those devices than they do with traditional endpoints such as desktops and notebooks. However, the research points out that respondents also feel a significant level of vulnerability in protecting their traditional PC endpoints.
•
Data loss prevention is the feature survey respondents said was the most difficult to fully achieve, but they also noted that endpoint security is their single biggest concern for the coming year.
The bottom line: Endpoint vulnerability is real and is increasing, particularly with the influx of users’ own tablets and smartphones. This is an important reality that is likely to become even more important in the coming years. By 2017, most employers will stop issuing corporate mobile devices to employees and instead will require their workers to supply their own mobile devices, according to Gartner Inc.1 Combine this trend with additional data indicating that more than 80% of mobile devices face data loss vulnerabilities2, and it’s hard to overestimate the magnitude of the problem created by consumer-class mobile devices.
Enterprise Mobility Strategy and BYOD Policies According to the TechTarget survey, slightly more than half of respondents’ organizations have a formal, enterprisewide strategy for mobility solutions. One third of the respondents said their organizations lacked a formal strategy. Organizations that lack a formal, updated and business process-aware strategy for mobility need to act fast, according to Forrester Research’s Chris Sherman, who pointed out that many IT departments “have revisited old strategies that no longer work for today’s mobile users.”3
Does your organization have an enterprise-wide strategy for mobility solutions? Yes No
9% 33% 58%
Unsure
1 “Gartner Predicts by 2017, Half of Employers Will Require Employees to Supply Their Own Device for Work Purposes,” Gartner Inc., May 2013 2 “Press Release: More than 80% of Smartphones Remain Unprotected from Malware and Attacks,” Juniper Research Finds, Aug. 10, 2013 3 “Market Overview: Enterprise Endpoint Backup and Recovery Solutions,” Forrester Research, July 2014
2
Of course, mobility is widely acknowledged as an increasingly important IT initiative. Sixty-six percent of survey respondents said mobility was either one of their most strategic initiatives or an important initiative for 2015, and only 22% said they had no strategic plans for mobility in the coming year. Undoubtedly, having some kind of policy for BYOD needs to be part of any enterprise-wide mobility strategy, but survey responses point to a number of different scenarios for how—or if—employee-owned devices are used for work tasks. For instance, while 78% of respondents said their organizations have some kind of policy on use of personal mobile devices, there is no consensus on what that policy may look like. For instance, respondents were about as likely to say their company had an informal, user-driven BYOD policy than they were to indicate that they had a more formal, ITdriven approach.
Which best describes your organization’s attitude toward BYOD? Formal policy endorsed and supported by IT Informal policy that is user-driven
14% 22%
34% 30%
Require selection from pre-selected list of devices Don’t allow use of personal devices
Endpoint Vulnerabilities and Challenges The survey results point out that IT professionals acknowledge significant vulnerabilities in protecting their current endpoints—and that they feel those vulnerabilities are significantly more pronounced for consumer-class devices such as tablets and smartphones than they are for traditional endpoints such as desktops and notebooks. However, it’s important to note that nearly a third of the respondents acknowledge feeling either “very vulnerable” or “vulnerable” to potential security threats on their traditional PC endpoints (desktops and notebooks). This highlights the importance of having comprehensive mobility strategies that account for all types of endpoint devices—desktops, notebooks, tablets, smartphones and other connected mobile devices.
3
How vulnerable does your organization believe your endpoint devices are to potential security threats? Tablets/Smartphones
Desktops/Notebooks
Very vulnerable 11% 25% Vulnerable 20% 20% Somewhat vulnerable 35% 33% Not very vulnerable 32% 16% Not vulnerable at all 2% 5% Not applicable 1% (non-PC endpoints are not part of our endpoint infrastructure)
Respondents were more than twice as likely (25%, compared with 11%) to consider their workers’ tablets and smartphones to be very vulnerable to endpoint security risks than their desktops and notebooks. A related issue to keep in mind is the fact that survey respondents said their IT departments, for the most part, are not responsible for data backup and recovery from non-PC endpoints.
Is IT responsible for backing up and recovering data on non-PC endpoints? Yes No
9% 27% 64%
Unsure
This finding reveals another vulnerability with organizations’ endpoint security when they have embraced BYOD: If IT isn’t part of regular data backup processes for consumer devices, that puts an enormous burden on the organization to educate its users about proper backup procedures they should be taking on their own. Of course, chances are that while many technically savvy users are well aware of the need to do frequent backups, a great deal of users live with a false sense of security that their data is adequately protected through public cloud services.
4
For instance, consider the popularity of cloud-based sync-and-share storage services. IT organizations may be aware that many of their users are employing these cloud-based services for storing not only personal data, but business information as well. But that awareness by the IT department isn’t always equivalent to taking responsibility for endpoint security and backup. After all, doing so requires that IT organizations understand and be willing to work with the intricacies of different cloud storage services, from Google Drive and Apple iCloud to Amazon Web Services’ AWS Storage and Dropbox.
Which of the following sync-and-share storage services does your IT organization allow/support for work applications? Google Drive
35%
Dropbox
32%
iCloud
22%
OneDrive
22% 17%
Box
16%
AWS Storage
4%
SugarSync
36%
Other 0%
10%
20%
30%
40%
While consumer devices present their own unique challenges, the survey results also highlight the need for IT organizations to confront a variety of potential problem areas with their traditional PC-based endpoints. For instance, data loss prevention heads the list of capabilities that IT respondents believe still is difficult to achieve for PC endpoints, followed by backup and recovery, endpoint security and compliance/e-discovery.
5
Which features/capabilities are difficult to achieve for PC endpoints? Data loss prevention
49%
Backup/recovery
45%
Endpoint security
45% 39%
Compliance/e-discovery
35%
Endpoint device management
32%
Endpoint administration
27%
Anywhere/anytime access to enterprise apps
20%
Endpoint use analytics
19%
Endpoint service 0%
10%
20%
30%
40%
50%
Conclusion In an environment increasingly marked by pervasive, anytime/anywhere mobility, IT organizations are under significant challenge to protect their endpoints against a wide range of threats. The accelerating momentum of BYOD and other technologies characterized as “the consumerization of IT,” however, is dramatically raising the stakes for organizations that want to provide users with flexible yet secure options for endpoint device usage. Data from research firm IDC notes that recovery-point objectives and recovery-time objectives are becoming increasingly stringent in all-sized organizations, and that “edge protection” must be a central element in helping to avoid downtime and the considerable financial, operational and reputational costs associated with it.4 The challenges identified in the TechTarget survey results quoted throughout this paper require IT and security professionals to take a long, hard look at not only endpoint data protection, but also how to address endpoint-related issues as part of an overall enterprise mobility framework. Organizations should seek out, investigate, pilot and deploy endpoint data protection solutions that recognize the vastly different issues for protecting non-PC endpoints than those often seen with desktops and notebooks. However, it remains essential that IT and security professionals come up with comprehensive endpoint data protection strategies—and look for relevant solutions—that can address all forms of endpoint devices when defining what data can be accessed, from which device.
4 “The Critical Need for Edge Data Protection,” IDC, October 2014
6
