IT Pros Want Cheap Mobile Security

IT staff are worried about mobile security, but are concerned to make sure prevention methods are cost-effective, according to a survey by the Ponemon Institute.

The highest sources of risk to businesses are applications, wireless devices and endpoints, while the biggest danger is loss of data, according to the survey of 488 experienced IT and security professionals, carried out in the UK by independent research body Ponemon, which was sponsored by mobile operator Vodafone and security company F-Secure.

Professionally paranoid

The survey canvassed opinions rather than measurable data, and asked the sample to talk about “return on prevention” (RoP), a security-specific spin on the more normal “return on investment” (RoI) measure for IT projects.

The benefit of any security measure can be measured in terms of the cost savings it makes by preventing disastrous breaches… but those costs have to be multiplied by the likelihood of the event occuring, making the calculation somewhat theoretical, conceded Ashley Winton, a partner at law firm White & Case, who presented the Ponemon study at a London meeting.

“Return on prevention is more practical than return on investment,” said Winton, explaining that – not surprisingly – cheap technologies whose effectiveness is easy to see, such as anti-virus and firewalls have a high RoP score.

Under the survey’s guarantee of anonymity, the IT people groused about their companies’ lack of protection, with 68 percent of people saying they did not currently have the necessary resources to manage threats, 66 percent saying security is “not viewed as mission critical”, and 59 percent saying policies are not in place, or not enforced.

They also did not rate their bosses: 65 percent said “senior leaders are not supportive of our security and data protection initiatives, and only 14 percent said it was important in RoP terms to keep the CEO in the loop on security.

End points and wireless devices gave the most worry, and users were concerned about losing data – especially given the high penalties now imposed by the ICO on data loss, and the likelihood of increased penalties driven by the EU.

Mobile threats

The survey sample was aware of the risks to mobiles, and gave a high RoP perception to anti-virus and anti-malware on mobile devices, as well as encryption. “Some people think that it’s just a phone, but the perception is there amongst professionals, that there is a need to protect data on mobile devices, just as much as fixed ones,” said Brian Burton, head of IT security at Vodafone UK.

But mobile threats will be different, according to Tom Gaffney (left), security adviser at F-Secure: “The mobile architecture is quite different, and there is a lower chance of a random virus, so the main attacks will be targeted.” IT professionals may also find them harder to protect, as they may have been bought by consumers who then use them for work: “Mobile devices are much harder to put policies out on.”