Global Study on Mobility Risks

Survey of IT & IT Security Practitioners

Sponsored by Websense, Inc.

Independently conducted by Ponemon Institute LLC Publication Date: February 2012

Ponemon Institute Research Report

Global Study on Mobility Risks

Survey of IT & IT Security Practitioners
Ponemon Institute, February 2012

Part 1: Introduction Mobile devices are a mixed blessing for employees, and a mixed blessing for organizations, but for different reasons. Smartphones allow workers much more flexibility in managing their schedules, but at the cost of always finding themselves at work. Who among us has not answered work emails from the dinner table, waiting in line at a store, even from the car, and probably every room of the house? And organizations reap huge benefits from having near-instant responses even outside of work hours, but they simultaneously open the door to unprecedented loss of sensitive data. As laptops, iPhones, Androids, iPads, and USB drives increase in sophistication, they can do more and more, and they become more and more popular, but they also greatly increase the risk to an organizations networks, sensitive data, and ultimately, profits and reputation.
1 And so it is little wonder that quite a few security experts have designated smartphones and other mobile devices as one of the most serious threat vectors for an organization. This is partially due to the nomadic work life of employees. Sensitive data on mobile devices travels physically and electronicallyfrom the office to home and other off-site locations. According to a previous Ponemon Institute study of 116 organizations, 62 percent of mobile data-bearing devices that were lost or stolen contained sensitive or confidential information. 2

IT has years of experience locking down desktops and encrypting laptop hard drives. Now that mobile devices are proliferating as corporate tools, the huge new exposure to data theft and loss cannot be ignored. According to a previous Ponemon Institute survey, IT respondents said 63 percent of breaches occurred as a result of mobile devices. And only 28 percent said employee desktop computers were the cause.3 On the electronic front, mobile attacks are getting more sophisticated and effective. In the coming year, we expect to see targeted device attacks from malware, spyware, malicious downloads/mobile apps, phishing, and spam. Because of their ubiquity and disruptive growth, Androids and iPhones have emerged as particularly popular platforms for attack. To help IT security professionals plan for an increasingly mobile electronic workforce, Websense, Inc. and Ponemon Institute have created this Global Study on Mobility Risks. We surveyed 4,640 IT and IT security practitioners in the United States, United Kingdom, Australia, Brazil, Canada, France, Germany, Hong Kong, Italy, India, Mexico, and Singapore. Fifty-four percent are supervisors or above, 42 percent are employed by organizations with more than 5,000 employees, and they have an average tenure of 10 years. We define mobile devices as laptops, USB drives, smartphones, and tablets, and asked about four major issues: Importance of mobile devices in reaching business goals. Existence of enforceable policies that govern the use of mobile devices. Security risks created by employee use of mobile devices.
1

Dr. Larry Ponemon and Stanton Gatewood, Ponemons Predictions: Trends in IT Security, Webinar sponsored by ArcSight, May 17, 2011 2 Ponemon Institutes security tracking study of 116 global companies with a special carve-out on mobile-connected devices used by employees, conducted September 2010 through March 2011 3 Ponemon Institute, Perceptions about Network Security, June 2011

Ponemon Institute Research Report

Page 1

Security technologies that reduce or mitigate mobility risks. The top findings are alarming, but not surprising: Fifty-nine percent of respondents report that employees circumvent or disengage security features such as passwords and key locks. During the past 12 months, 51 percent of the organizations in this study experienced data loss resulting from employee use of insecure mobile devices, including laptops, smartphones, USB devices, and tablets. Seventy-seven percent of respondents agree that the use of mobile devices in the workplace is important to achieving business objectives. A similar percentage (76 percent) believes that these tools put their organizations at risk. Only 39 percent have the necessary security controls to address the risk, and only 45 percent have enforceable policies. Sixty-five percent of respondents are most concerned with employees taking photos or videos in the workplaceprobably due to fears about the theft or exposure of confidential information. Other unacceptable uses include downloading and using internet apps (44 percent) and using personal email accounts (43 percent). Forty-two percent say that downloading confidential data onto devices (USB or Bluetooth) is not acceptable in their organizations.

Ponemon Institute Research Report

Page 2

Part 2. Analysis of key findings In this section, we discuss the consolidated findings for all 12 countries represented in the study. The purpose of this research is to examine the impact employees mobile devices have on the security of sensitive and confidential information and how organizations are responding to the risks. The complete audited findings are presented in the appendix. Due to the importance of mobile devices for business reasons, more organizations need to have the necessary security controls in place. Seventy-seven percent of respondents say that employee use of mobile devices is essential or very important to their organizations ability to meet its business objectives. They also acknowledge that employee use of these devices puts their organizations at risk. Only 39 percent say that they have the necessary security controls in place to mitigate or reduce the threat as shown in Bar Chart 1. Bar Chart 1: Perceptions about the use and risks of employees mobile devices
Strongly agree & agree responses combined

The employees use of mobile devices in meeting business objectives is essential or very important.

77%

The use of mobile devices in the workplace represents a serious security threat.

76%

My organization has the necessary security controls to mitigate or reduce the risk posed by insecure mobile devices.

39%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

Because of their many benefits, mobile devices will continue to be ubiquitous in the workplace. Restricting their use is not an option, so organizations need to address the risk through policies, processes, and enabling technologies.

Ponemon Institute Research Report

Page 3

Insecure mobile devicesincluding laptops, smartphones, USB devices, and tablets increase rates of malware infections. As shown in Bar Chart 2, 59 percent of respondents say that over the past 12 months, their organizations experienced an increase in malware infections as a result of insecure mobile devices in the workplace, with another 25 percent unsure. Bar Chart 2: Employees use of mobile devices in the workplace increases malware infections.
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Unsure 16% 25% 59%

We asked respondents to estimate by how much malware infections increased due to these insecure mobile devices. Bar Chart 3 reveals that 31 percent of respondents (17 percent + 12 percent + 2 percent) say that these devices are responsible for an increase of more than 50 percent in malware infections. Seventeen percent do not know. Bar Chart 3: Percentage increase in malware infections due to insecure mobile devices
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Dont know Less than 10% 10 to 25% 26 to 50% 51 to 100% 101 to 200% More than 200% 17% 10% 19% 23% 17% 12% 2%

Ponemon Institute Research Report

Page 4

Many organizations had data loss or serious exploits resulting from employee use of insecure mobile devices. Fifty-one percent of respondents say that their organizations experienced a data breach due to insecure mobile devices, and 23 percent are unsure. As shown in Bar Chart 4, the consequences of mobile data breaches were serious. They include theft, removal, or loss of information and/or other resources (38 percent); and disclosure of private or confidential information (31 percent). Bar Chart 4: Consequences of a mobile device data breach

Theft, removal or loss of information and/or other resources Disclosure of private or confidential information

38%

31%

Interruption of services

10%

Destruction of information and/or other resources

7%

Other

7%

Corruption or modification of information 0%

6% 20% 40% 60% 80% 100%

Ponemon Institute Research Report

Page 5

Fifty-five percent of respondents (37 percent + 18 percent) say that their organizations do not have a policy that addresses the acceptable or unacceptable use of mobile devices by employees or they are unsure. As shown in Bar Chart 5 in red, if they do have a policy, less than half (48 percent) say that the policy is enforced and 18 percent are unsure. Bar Chart 5: Existence of mobile device acceptable/unacceptable use policies & enforcement of policies
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Unsure Our organization has a policy that addresses the use of mobile devices This policy is enforced 45% 48% 37% 34% 18% 18%

We asked those respondents who said that there is no enforcement of these policies to provide the reasons. Primarily it is due to lack of governance and oversight (58 percent) and because other security issues are a priority (47 percent). Thirty-nine percent cite insufficient resources to monitor compliance. Bar Chart 6: Reasons for not enforcing policies
Two choices permitted

Lack of governance and oversight

58%

Other security issues are a priority

47%

Insufficient resources to monitor compliance with the policy

39%

0%

20%

40%

60%

80%

100%

Ponemon Institute Research Report

Page 6

Security settings and controls at the device level are required in many organizations but are often turned off. Forty-nine percent of organizations require mobile devices used in the workplace to have appropriate security settings and controls at the device level, 38 percent do not require security settings, and 13 percent are unsure. Bar Chart 7 shows that of those organizations that require security settings and controls, only 6 percent say that all employees are compliant and 15 percent do not know. Bar Chart 7: Employee compliance with mobile device security requirements
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 99% 100% (every Dont know device) 9% 11% 28% 19% 12% 6% 15%

As shown in Bar Chart 8, 59 percent say that their employees circumvent or disengage security features such as passwords and key locks. Only 29 percent say employees are compliant and do not engage in this practice. Twelve percent are unsure. Bar Chart 8: Mobile device security features are circumvented or disengaged
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Unsure 29% 12% 59%

Ponemon Institute Research Report

Page 7

The majority of respondents believe that diminished bandwidth, the loss of confidential information, and a decrease in employee productivity are the negative consequences of insecure mobile devices. Seventy-two percent of respondents say the top negative consequence of mobile devices is keeping up with the need to increase bandwidth (Bar Chart 9). This is likely due to the explosion in mobile media and the sharing of videos, music, and applications. Sixty-eight percent say that the loss of confidential information or violation of confidentiality policy is very likely to occur. Similarly, 68 percent also see a diminishment in employee productivity. About half (49 percent) of respondents believe that a negative consequence is an increase in malware infections. Bar Chart 9: Negative consequences of insecure mobile devices
(Already happened and very likely to happen responses combined)

Diminishes IT bandwidth

72%

Loss of confidential information or violation of confidentiality policy

68%

Diminishes employee productivity

68%

Increase in virus or malware infections

49%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

Ponemon Institute Research Report

Page 8

To mitigate the risks created by mobile devices, certain technologies are preferred. According to Bar Chart 10, the technologies considered essential or very important by respondents are: device level encryption, endpoint security solution, and identity & access management (IAM). Bar Chart 10: Preferred technologies to mitigate the risks created by mobile devices
(Essential and very important responses combined)

Device level encryption Endpoint security solution Identity & access management (IAM) Anti-virus/anti-malware (AV/AM) Mobile device management (MDM) Secure web gateway (SWG) Network intelligence (SIEM) Data loss prevention (DLP) Encryption solution Content aware firewalls Intrusion prevention (IPS) & intrusion detection (IDS) Database security solution 0% 10% 20% 40% 60% 21% 20% 61% 60% 55% 49% 42%

79% 78% 73% 72%

80%

100%

According to Websense, many companies make significant investments in encryption and endpoint security to protect sensitive data, but they often dont know how/what data is leaving through insecure mobile devices. Traditional static security solutions such as antivirus, firewalls, and passwords are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders. To safely permit corporate use of mobile devices, organizations need data loss prevention technology that knows where critical data is saved, who is accessing it, how its attempting to leave, and where its going. Real-time malware intelligence is also necessary because cybercriminals change their tactics faster than traditional security updates are pushed out. Websense recommends that organizations proactively deploy real-time anti-malware technology via cloud services that continually analyzes and re-analyzes websites and mobile applications. Using cloud security services enables organizations to protect remote users anytime and anywhere. For more information, read A 3-Step Plan for Mobile Security.

Ponemon Institute Research Report

Page 9

10

The use of personal mobile devices is putting organizations at risk. As shown in Bar Chart 11, 85 percent of respondents say that their organizations allow employees to use their personal devices to connect to corporate email. Seventy-one percent permit access to personal (webbased) email and business applications. Bar Chart 11: Acceptable use of mobile devices in the workplace
More than one choice permitted

Corporate email

85%

Business applications

71%

Personal (web-based) email

71%

Wi-Fi or other local networks

62%

Non-business applications

44%

Other (please specify) 0%

6% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

According to respondents, personal devices are posing just as much risk as insecure corporate mobile devices. Fifty-eight percent say that their organization has experienced an increase in malware infections as a result of personally owned mobile devices used in the workplace. Fifty-six percent say that more confidential data has been lost as a result of these devices, while 26 percent are unsure (Bar Chart 12). Bar Chart 12: Increase in malware infections and loss of confidential data
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Yes No Unsure Our organization has experienced an increase in viruses or malware infection The loss of confidential data has increased 19% 18% 23% 26% 58% 56%

Ponemon Institute Research Report

Page 10

11

Organizations worry about employees using their mobile device to take photos or videos in the workplace. According to Bar Chart 13, 65 percent of respondents say that this practice is frowned upon by their organizations and is considered unacceptable. Other unacceptable practices include: downloading and using internet apps (44 percent); using personal email accounts (43 percent); and downloading confidential data onto the device (42 percent). Bar Chart 13: Unacceptable uses of mobile devices
More than one choice permitted Taking photos or videos in the workplace Downloading and using internet apps Using personal email accounts Downloading confidential data onto the device Downloading and watching videos Personal phone calls Using business email accounts Other 4% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100% 25% 20% 15% 44% 43% 42% 65%

Ponemon Institute Research Report

Page 11

12

Part 3. Significant differences among various countries This section covers the different perceptions among IT and IT security practitioners in 12 countries concerning the use of mobile devices in their organizations. 3 Perception of risk. According to Bar Chart 14, countries with organizations that are most likely to see mobile devices as a serious threat to their organization are Italy, France, and Australia. The countries with organizations that are the most confident that they have the necessary controls in place to address the threats are Singapore, Hong Kong, Germany, and Canada. Organizations in Italy and France have the highest percentage of respondents who recognize the risk of mobile devices but they are the least likely to have the necessary security controls in place to reduce risk. Bar Chart 14: Two attributions about employees mobile devices and the risk they pose
Results shown for 12 separate country samples 100% 90%
82% 85% 86% 88%

80%
72%

73%

74%

75%

78%

78%

70% 60% 50% 40% 30% 20% 10% 0% DE

56% 53%

65% 58% 52% 59%

38%

39% 35% 33% 30% 36%

17% 13%

HK

CA

MX

US

UK

SG

IN

BZ

AU

FR

IT

The use of mobile devices represents a serious security threat to my organization. My organization has the necessary security controls in place to mitigate or reduce the risk posed by insecure mobile devices.

The horizontal axis to each line graph represents the individual country sample. See Table 1 (Methods section) for country legend used in this section.

Ponemon Institute Research Report

Page 12

13

Mobile devices are important tools for business. Bar Chart 15 shows that a majority of organizations in all 12 countries consider mobile devices important to meeting business objectives. More respondents in organizations in Italy, France, Germany, and Brazil consider mobile devices important. Bar Chart 15: How important are mobile devices in meeting business objectives
Results shown for 12 separate country samples 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% AU UK US CA IN MX SG HK BZ DE FR IT 69% 61% 63% 71% 74% 74% 75% 77% 80%

91%

91%

92%

Acceptable/unacceptable mobile device policy use in the workplace. According to Bar Chart 16, respondents in Germany, Brazil, and Hong Kong have the most organizations with an acceptable/unacceptable use policy for mobile devices. According to respondents, organizations in Italy, Canada, France, India, and the U.K. are less likely to have such a policy. Bar Chart 16: Organizations that have a mobile device usage policy
Results shown for 12 separate country samples 100% 90% 80% 70% 60% 60% 50% 40% 30% 20% 10% 0% UK IN FR CA IT US MX AU SG HK BZ DE 29% 31% 33% 33% 34% 35% 45% 45% 52% 62% 76%

Ponemon Institute Research Report

Page 13

14

Increased data loss and serious exploits due to mobile devices. Respondents in countries that report the most data loss and security exploits from insecure mobile devices are Italy, Canada, and Germany. Organizations with the least reported incidents are in Singapore, Brazil, and the U.K. (Bar Chart 17). Bar Chart 17: Data loss or serious exploits due to insecure mobile devices
Results shown for 12 separate country samples 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% UK BZ SG FR AU US MX IN HK DE CA IT 41% 43% 45% 48% 50% 51% 52% 53% 55% 57% 58% 58%

Employees disable mobile device security features. As shown in Bar Chart 18, respondents in Italy and France have the highest percentage of organizations reporting that employees circumvent or disengage mobile device security features, including passwords and key locks. Organizations in Germany and Canada report the lowest percentage. Bar Chart 18: Employees circumvent mobile device security
Results shown for 12 separate country samples 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% DE CA SG UK HK US MX BZ AU IN FR IT 32% 45% 55% 56% 60% 60% 61% 63% 65% 66% 72% 75%

Ponemon Institute Research Report

Page 14

15

Increase in malware infections. According to Bar Chart 19, a higher percentage of respondents in Germany, Hong Kong, Canada, India, and Australia report an increase in malware infections as a result of personally owned mobile devices used in the workplace. Organizations in Italy and Brazil report the lowest malware infections. The majority of organizations in all countries say that the loss of confidential data has increased as a result of personally owned mobile devices in the workplace (not shown in the bar graph). Bar Chart 19: Mobile devices pose risks to sensitive data
Results shown for 12 separate country samples

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% BZ IT FR US SG UK MX AU IN CA HK DE 42% 52% 55% 56% 56% 58% 58% 61% 61% 63% 64% 65%

Ponemon Institute Research Report

Page 15

16

Part 4: Summary and recommendations In every part of the globe, IT and IT security practitioners recognize the positive impact that mobility brings to productivity. Benefits include 24/7 access to email, corporate documents, and other essential information. The challenge is how to ensure that mobile device use does not jeopardize the security of sensitive and confidential information. Here are five recommendations on how to effectively manage security technology and enjoy the business benefits of mobile devices: Understand the risk that mobile devices create in the workplace. Conduct a risk assessment to understand what practices may be putting your organization at risk, such as storing large amounts of confidential data that are at high risk for data leakage and loss. Educate employees about the importance of safeguarding their mobile devices. Risky behavior includes downloading apps and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information. Create a comprehensive mobile device policy (including detailed guidelines) for all employees and contractors. The policy should address the risks and the security procedures that should be followed. Use enabling technologies to detect and prevent data theft and mobile malware danger. Implement layers of security where device management capabilities are supplemented by advanced secure access controls, threat protection provided by cloud services, and data theft protection at the endpoint to identify valuable intellectual property and protect it. Use policy controls to keep productivity and resource utilization in check.

Ponemon Institute Research Report

Page 16

17

Part 5: Details, methods, and limitations The table below reports the sample response for the 12 country samples. The sample response was conducted over a 30-day period ending in July 2011. Our consolidated sampling consisted of 116,491 individuals who have bona fide credentials in the IT or IT security fields. From this sampling frame, we captured 5,131 returns of which 491 were rejected for reliability issues. Our final consolidated sample before screening was 4,640, thus resulting in a four percent response rate.
Table 1: Sample response for 12 countries Sample Legend frame Returns Rejections US 15,775 655 54 UK 9,885 419 32 CA 8,701 451 30 DE 11,063 560 25 AU 6,503 329 29 SG 5,003 277 18 HK 4,993 256 35 BZ 11,090 504 76 MX 12,509 398 52 IN 13,010 560 49 FR 9,005 367 40 IT 8,954 355 51 116,491 5,131 491

Country United States United Kingdom Canada Germany Australia Singapore Hong Kong Brazil Mexico India France Italy Total

Final sample 601 387 421 535 300 259 221 428 346 511 327 304 4,640

Response rate 3.8% 3.9% 4.8% 4.8% 4.6% 5.2% 4.4% 3.9% 2.8% 3.9% 3.6% 3.4% 4.0%

Pie Chart 1 summarizes the approximate position levels of respondents in our study. The majority (54 percent) of respondents are at or above the supervisory level. The average experience in IT or IT security is 10.35 years. Pie Chart 1: Distribution of respondents according to position level
Consolidated for 12 separate country samples 4% 13% 3% 1% 2% 14% Senior Executive Vice President Director Manager Supervisor 21% Technician Staff 27% Contractor Other

16%

Ponemon Institute Research Report

Page 17

18

Pie Chart 2 reports the respondents primary industry segments. Seventeen percent are in financial services, which includes banking, investment management, insurance, brokerage, payments, and credit cards. Another 17 percent are in public sector organizations, including central and local government. Pie Chart 2: Distribution of respondents according to primary industry classification
Consolidated for 12 separate country samples 2% 5% 17% Financial services Public sector Health & pharma Industrial Retail 4% 5% Services Technology 17% Hospitality Transportation 5% Education & research Communications 6% 10% 8% 8% Energy Entertainment & media Defense Other

3% 3% 3% 4%

Pie Chart 3 shows that a majority of respondents (71 percent) are located in large organizations with more than 1,000 employees. Pie Chart 3: Distribution of respondents according to organizational headcount
Consolidated for 12 separate country samples 6% 14%

12%

Less than 500 people 17% 500 to 1,000 people 1,001 to 5,000 people 5,001 to 25,000 people 25,001 to 75,000 people 22% More than 75,000 people

29%

Ponemon Institute Research Report

Page 18

19

Limitations There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of IT and IT security practitioners in 12 countries, resulting in a large number of usable returned responses. Despite non-response tests, it is possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the survey. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners who deal with network or security issues. Responses from paper, interviews, or telephone might result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from respondents. While certain checks and balances were incorporated into our survey evaluation process, some respondents may not provide their true opinions.

Ponemon Institute Research Report

Page 19

20

Appendix: Audited Findings

The following tables report the percentage frequencies for all survey questions relating to mobility risks in the workplace (Part 2). The consolidated values for 12 separate country samples are reported. See Table 1 for additional details. Please note that Part 1 of the survey instrument is not reported here. These additional survey questions pertain to the use of social media devices in the workplace and were presented in a separate report, Global Survey on Social Media Risks in September 2011. All survey responses were gathered in July 2011. Country samples Sample frame Returned surveys Rejected surveys Final sample Response rate Consolidated 116,491 5,131 491 4,640 4.0%

Part 2. Mobile device Attributions: Five-point scale from strongly agree to strongly disagree. Reported is strongly agree and agree responses combined. Q13a. The use of mobile devices in the workplace represents a serious security threat to my organization. Q13b. My organization has the necessary security controls in place to mitigate or reduce the risk posed by insecure mobile devices used in the workplace. Q14. How important is the employees use of mobile devices in terms of meeting your organizations business objectives? Scale is from essential to irrelevant. Reported is essential and very important responses combined.

Consolidated 76% 39%

77%

Q15a. Does your organization have a policy that addresses the acceptable or unacceptable use of mobile devices by employees? Yes No Unsure Total Q15b. If yes, is this policy enforced? Yes No Unsure Total Q15c. If you answered no in Q15b, why isnt the policy enforced? Please select only two choices. Insufficient resources to monitor compliance with the policy Other security issues are a priority Lack of management concern Lack of technology solutions Lack of governance and oversight Other (please specify) Total

Consolidated 45% 37% 18% 100% Consolidated 48% 34% 18% 100% Consolidated 39% 47% 26% 21% 58% 6% 198%

Ponemon Institute Research Report

Page 20

21

Q16. What is an unacceptable use of a mobile device by employees within your organization? Personal phone calls Downloading confidential data onto the device (USB or Bluetooth) Using business email accounts Using personal email accounts Downloading and using internet apps Downloading and watching videos Taking photos or videos in the workplace Other (please specify) Total Q17. What percentage of mobile devices used in the workplace are infected by viruses or malware? Your best guess is welcome. None Less than 1% 1 to 5% 5 to 10% 11 to 25% 26 to 50% 51 to 75% More than 75% Dont know Total Q18a. Over the past 12 months, did your organization experience an increase in viruses or malware infections as a result of insecure mobile devices used in the workplace? Yes No Unsure Total Q18b. If yes, approximately (in percentage terms) how much did viruses and malware infections increase during the past 12 months? Your best guess is welcome. Less than 10% 10 to 25% 26 to 50% 51 to 100% 101 to 200% More than 200% Dont know Total Q19. Please rate the likelihood of each one of the following scenarios happening because of employees use of insecure mobile devices in the workplace. Please use the five-point scale provided below each item from already happens to never. Reported are the already happened and very likely to happen responses combined. Q19a. Diminishes IT bandwidth Q19b. Diminishes employee productivity Q19c. The loss of confidential information or violation of confidentiality policy Q19d. An increase in virus or malware infections

Consolidated 20% 42% 15% 43% 44% 25% 65% 4% 258% Consolidated 14% 13% 20% 18% 6% 6% 3% 6% 14% 100% Consolidated

59% 16% 25% 100% Consolidated

10% 19% 23% 17% 12% 2% 17% 100% Consolidated

72% 68% 68% 49%

Ponemon Institute Research Report

Page 21

22

Q20a. During the past 12 months, did your organization experience any data loss or serious exploits resulting from employees use of insecure mobile devices? Yes No Unsure Total Q20b. If yes, what was the nature of the data breach or security exploits? Destruction of information and/or other resources Corruption or modification of information Theft, removal or loss of information and/or other resources Disclosure of private or confidential information Interruption of services Other (please specify) Total Q21a. Does your organization require mobile devices used in the workplace to have appropriate security settings and controls at the device level? Yes No Unsure Total Q21b. If yes, what is the approximate percentage of mobile devices used in the workplace that have appropriate security settings and controls? Your best guess is welcome. Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 99% 100% (every device) Dont know Total Q22a. Do employees in your organization ever circumvent or disengage mobile device security features including passwords and key locks (a.k.a. jailbreak)? Yes No Unsure Total

Consolidated 51% 26% 23% 100% Consolidated 7% 6% 38% 31% 10% 7% 100% Consolidated 49% 38% 13% 100% Consolidated

9% 11% 28% 12% 19% 6% 15% 100% Consolidated

59% 29% 12% 100%

Ponemon Institute Research Report

Page 22

23

Q22b. If yes, what is the approximate percentage of employees who disengage or turn-off security features on their mobile device? Your best guess is welcome. Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 100% Dont know Total Q23. In your opinion, who in your organization is most likely to cause serious security problems because of insecure mobile devices? Senior level executives Supervisors and managers in non-IT areas of the organization Supervisors and managers in IT areas of the organization Staff and associate level employees in non-IT areas of the organization Staff and associate level employees in IT areas of the organization Contractors and part-time employees Other (please specify) Total Q24. In your opinion, how important is each one of the following enabling security technologies at reducing or mitigating security threats caused by the use of mobile devices in the workplace? Please indicate your opinion using the following scale: Essential to irrelevant. Reported are essential and very important responses combined. Mobile device management (MDM) Data loss prevention (DLP) Anti-virus/anti-malware (AV/AM) Intrusion prevention (IPS) & intrusion detection (IDS) Content aware firewalls Identity & access management (IAM) Endpoint security solution Database security solution Device level encryption Network intelligence (SIEM) Encryption solution Secure web gateway (SWG) Other (please specify) Total Q25. Approximately, what percentage of mobile devices used in the workplace are owned by employees (rather than provided by the organization)? Your best guess is welcome. None Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 100% Cannot determine Total

Consolidated

8% 7% 37% 19% 5% 24% 100% Consolidated 13% 14% 18% 22% 8% 19% 6% 100% Consolidated

61% 49% 72% 20% 21% 73% 78% 10% 79% 55% 42% 60% 5% 623% Consolidated

14% 6% 8% 31% 15% 9% 18% 100%

Ponemon Institute Research Report

Page 23

24

Q26. Do you allow employees personally owned mobile devices to connect to any of the following within your corporate IT infrastructure? Please check all that apply. Corporate email Personal (web-based) email Business applications Non-business applications WIFI or other local networks Other (please specify) Total Q27. Did your organization experience an increase in viruses or malware infections as a result of personally owned mobile devices used in the workplace? Yes No Unsure Total Q28. Has the loss of confidential data increased as a result of personally owned mobile devices in the workplace? Yes No Unsure Total

Consolidated 85% 71% 71% 44% 62% 6% 340% Consolidated 58% 19% 23% 100% Consolidated 56% 18% 26% 100%

Part 3. Organizational characteristics & respondent demographics D1. What organizational level best describes your current position? Senior Executive Vice President Director Manager Supervisor Technician Staff Contractor Other Total D2. Total years of relevant experience Total years of IT or security experience Total years in current position

Consolidated 1% 2% 14% 21% 16% 27% 13% 4% 3% 100% Consolidated 10.35 4.70

Ponemon Institute Research Report

Page 24

25

D3. Check the primary person you or your IT security leader reports to within the organization. CEO/Executive Committee Chief Financial Officer General Counsel Chief Information Officer Compliance Officer Human Resources VP CISO/CSO Chief Risk Officer Other Total D4. What industry best describes your organizations industry focus? Communications Defense Education & research Energy Entertainment & media Financial services Health & pharma Hospitality Industrial Public sector Retail Services Technology Transportation Other Total D5. Where are your employees located? (Check all that apply): United States Canada Europe Middle East & Africa Asia-Pacific Latin America (including Mexico) D6. What is the worldwide headcount of your organization? Less than 500 people 500 to 1,000 people 1,001 to 5,000 people 5,001 to 25,000 people 25,001 to 75,000 people More than 75,000 people Total

Consolidated 1% 3% 1% 62% 11% 1% 14% 3% 6% 100% Consolidated 3% 2% 4% 3% 3% 17% 10% 5% 8% 17% 8% 6% 5% 4% 5% 100% Consolidated 87% 63% 67% 38% 70% 68% Consolidated 12% 17% 29% 22% 14% 6% 100%

Ponemon Institute Research Report

Page 25

26

Ponemon Institute
Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Ponemon Institute Research Report

Page 26