SURVEY

U.S. Mobile Security Survey, 2013

Phil Hochmuth
John Grady
Christian A. Christiansen

Charles J. Kolodgy
Sally Hudson

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA

P.508.872.8200

F.508.935.4015

www.idc.com

IDC OPINION
The views of U.S. enterprises on personal mobile devices (PMDs) vary widely
depending on the organizations' tolerance for risk as well as their general reliance on
mobility to drive productivity and revenue. To some IT-controlled firms, or organizations
that disallow PMD use, the acronym PMD is viewed as "potential mass destruction" with
regard to perceived risks of data loss or breaches associated with uncontrolled mobiles;
for many such organizations, mobility is too essential to the business to introduce risks
from unknown devices. For firms adopting the bring-your-own-device (BYOD) stance,
PMDs represent an opportunity to have a more empowering workforce while offloading
the cost of hardware, and potentially services, to the end users. However, many of
these organizations rely less on mobility as an essential technology for employees and
thus have greater tolerance for risk. U.S. enterprises use a wide variety of products and
services to secure their employees' mobile devices, and the approach, mix, and types of
solutions deployed correlates to the organizations' appetite for risk regarding PMDs, the
level of mobility among organizations' workforce, and the size of the organizations in
terms of employees and locations. According to IDC's recent study on mobility trends,
the majority (62.5%) of United Statesbased enterprises consider themselves BYOD
inclined, while a little more than one-third of enterprises are IT controlled when it comes
to PMDs in the workplace. Other key findings in the survey include:
Mobile malware is a top security concern among IT-controlled enterprises (68%).
Exposure of sensitive data (via "leaky" or misconfigured apps) is the top concern
among BYOD firms.
Organizations of all types see social media and cloud storage as the greatest
threats in terms of mobile app usage.
Mobile security services (from carriers or MSPs) are the least deployed and most
frequently "not planned" technology for protecting mobile workforces. However,
organizations that have experienced a mobile-related data breach are more likely
to install mobile security services to augment deployed mobile security hardware
and software products.
While three-quarters of enterprises see PMDs as a risk factor, two-thirds of
enterprises also say employees using PMDs have a good understanding of the
risks involved.

Filing Information: April 2013, IDC #240598, Volume: 1

Security Products: Survey

IN THIS STUDY
Methodology
IDC's U.S. Mobile Security Survey, 2013, is a Web-based survey of 200 IT decision
makers at United Statesbased enterprises (with 1,000+ employees) conducted in
February 2013. Key questions and themes of the survey included:
Top mobile security issues and challenges
Key technologies enterprises are using, planning, and planning not to use to
secure mobile workforces
Vendor choices "core" versus "complementary" security technologies
Analysis of IT-controlled versus BYOD enterprises
Mobile security incidents and breaches experienced
The organizations surveyed spanned 14 different vertical markets, including
healthcare, finance, manufacturing, government, military, and education.
Respondents were required to be in a position to make purchasing decisions and/or
technical evaluations of mobile security products and services for their organization.
IDC's U.S. Mobile Security Survey, 2013, is the first of four surveys to be published
on a quarterly basis throughout 2013, with each survey focusing on each of IDC's
Four Pillar research areas: mobility, cloud, social business, and Big Data/analytics.
Following the 2013 U.S. Mobile Security Survey, forthcoming surveys will study how
cloud computing, social media, and Big Data/analytics are affecting enterprise data
and network security. These studies are slated for publication in the second, third,
and fourth quarters of 2013.
Note: All numbers in this document may not be exact due to rounding.

SITUATION OVERVIEW
Survey Findings
The momentum behind the BYOD movement and the use of PMDs in the office have
been extensively chronicled in the technology and mainstream press. Empirical data
from our study backs up these trends. To gauge how enterprises are responding to
the influx of PMDs in the workplace, respondents were asked, "Which statement best
describes the state of mobile/smartphone usage in your environment?"
An IT-controlled environment is defined as one in which only corporate-issued
devices are allowed to access enterprise applications and data.
In a mix of IT-controlled environment and PMDs, both are allowed equal access
to enterprise network applications and data.

2013 IDC

#240598

 A decentralized environment is defined as one in which devices are not generally

issued by the employer and any PMD is allowed to access corporate systems.
For data analysis purposes, we have grouped "mixed" environments and
"decentralized" environments into a single category calling them BYOD environments.
Nearly two-thirds (62.5%) of all respondents categorized themselves as BYOD
environments (114 respondents were mixed environments; only 22 respondents were
decentralized environments). Of the total survey base, just over one-third (37.5%) of
organizations were IT-controlled environments (see Figure 1).

FIGURE 1
Enterprises' Trend Toward BYOD Environments
Q.

Which statement best describes the state of mobile device/smartphone usage in

your environment?

n = 200
Source: IDC's U.S. Mobile Security Survey, 2013

Regarding mobility, enterprises were asked to define the level of mobility among the
workforce as follows:
Highly mobile (>50% of employees travel frequently outside the office and access
corporate with mobile devices)
Frequently mobile (3049% of employees are mobile or travel frequently)
Moderately mobile (1029% of employees travel)
Nonmobile (>10% of employees travel at any time)

#240598

2013 IDC

Based on these responses, IDC grouped the categories into two overarching mobile
personas: "mobile oriented," which combines the categories of highly and frequently
mobile enterprises, and "mobile averse," which comprises moderate and nonmobile
enterprises.
Regarding company size, respondents were broken down into three categories:
Small enterprise organizations with 1,0004,999 employees
Medium-sized enterprise organizations with 5,0009,999 employees
Large enterprise organizations with more than 10,000 employees
From these basic characteristics, a clearer picture emerges of how organizations are
using and controlling mobile devices. Among IT-controlled environments, nearly half
of these organizations are considered "highly mobile." This indicates that in
organizations where a mobile workforce is critical for productivity and growth, control
over devices, and more importantly the data and apps on them, is a key requirement.
This might include organizations with a large road warrior workforce consultancies,
sales teams, and field workers which drives business and revenue.
On the opposite end, only a quarter of BYOD enterprises categorized themselves as
highly mobile, although overall BYOD-focused enterprises were slightly more mobile
oriented than IT-controlled firms (72% of BYOD firms were also mobile oriented; 68%
of IT-controlled firms considered themselves in this category). Another way to
interpret this is that mobility has permeated enterprises at all levels; highly mobile, ITcontrolled enterprises do mobility "for a living" (it's a must-have capability);
meanwhile, BYOD-focused, mobile-oriented firms view mobility as more of a "nice to
have" capability (see Figure 2).

2013 IDC

#240598

FIGURE 2
Makeup of Employee Base in Terms of Location
Q.

How would you describe the makeup of the majority of your employee base
in terms of location?

Source: IDC's U.S. Mobile Security Survey, 2013

Data Breach Trends

A key question in the survey was, "Has your organization experienced in the past 12
months any data breach incidents (i.e., data loss or exposure of confidential
information) in which it was determined that the usage of a mobile device was a
factor." Based on respondents:
36.5% answered Yes and are considered Breached.
58.5% answered No and are considered Non-Breached.
5% of organizations said they did not know.
Whether a firm was IT controlled or BYOD had little consequence on the frequency of
mobile-related breaches (38% for BYOD firms versus 35% for IT-controlled firms). As
might be expected, 46.8% of mobile-oriented firms experienced a breach in the past
12 months, while only 11.9% of mobile-averse firms experienced a mobile-related
breach (see Figure 3).

#240598

2013 IDC

FIGURE 3
Data Breach Incidents Among Mobile-Averse and
Mobile-Oriented Firms in the Past 12 Months
Q.

Has your organization experienced in the past 12 months any data breach incidents (i.e.,
data loss or exposure of confidential information) in which it was determined that the usage
of a mobile device was a factor?

Source: IDC's U.S. Mobile Security Survey, 2013

The majority of respondents indicated their organization had between one and nine
locations. Of these respondents, 37% had experienced a data breach. Thirty percent
of firms with 1099 locations experienced breaches, while half of very dispersed
organizations with over 100 locations said they experienced a breach. Also
noteworthy, 8.7% of very dispersed organizations said they did not know if they
experienced a breach the highest rate among any of the three size groups.
The percentage of respondents who experienced a breach increased with regard to
the size of the organization from an employee standpoint as well. Fewer than 30% of
small enterprises had experienced a breach, while just over a third of medium-sized
enterprises said a breach had occurred. Among the large organizations with more
than 10,000 employees, close to half (49%) said they had experienced a breach.
Also, 10.4% of very large enterprises said they do not know if they had experienced a
breach, again showing that large organizations, whether measured by size or
location, often have less visibility into the activities of their mobile workforce.

Security Product Choice for Enterprise Mobility

Respondents were asked to describe the status or plans for security product
deployments targeted at securing their mobile workforces. This included both mobilespecific security solutions (such as mobile endpoint software or mobile security
services) and mobile management solutions (mobile device management [MDM] and

2013 IDC

#240598

mobile applications management [MAM]). Traditional security technologies that could

be used to secure mobile devices and traffic were also considered.
General security products, as opposed to mobile-focused tools, were the most
frequently deployed solutions for securing mobile workforces among respondents; at
54%, security functions in wireless LAN (WLAN) infrastructure was the most widely
deployed technology for securing mobile devices and users. This makes senses as
the initial first point of contact for an employee-owned device in an organization is
with the corporate WLAN. Many enterprises use common approaches such as access
control lists, passwords, and guest/quarantine WLANs to control how mobile devices
access the network. IT-controlled firms did this more frequently (64%) compared with
BYOD firms (48%), which suggests that the majority of enterprises, which are BYOD
focused, are opening WLANs up to end users' PMDs in the office.
Security gateway solutions Web filtering, firewall, UTM, and VPN technologies
were the second most deployed technology for mobile workforce security, as just over
50% of organizations are using mobile features in these gateways. (Relating to the
WLAN control trend, network access control [NAC] ranked fourth in deployments, at
45.5%.)
Mobile device management, at 50%, was the third most deployed technology. MDM
solutions are primarily management platforms, which control the configuration of mobile
devices and security tools. Enterprises see MDM as a valuable way to secure mobile
devices. In case of mobile applications management platforms, fewer than 40% of
organizations had deployed application containerization solutions, which allow for the
separation of work and personal environments on mobiles, tablets, and smartphones.
Security and managed services from wireless service providers or carriers (i.e.,
AT&T, Verizon) and security SaaS solutions represented the bottom tier, with fewer
than 40% of organizations deploying these solutions. Mobile security services from a
managed security service provider (MSSP) were deployed in 35.5% of all
organizations surveyed. Last, cloud or SaaS-based Web security solutions were the
least deployed technology for mobile security, with a little more than one-third (34.5%)
of organizations having deployed this technology. Interestingly, the highest frequency
of technologies enterprises said they had "no plans" to deploy were mobile security
services from MSSPs or wireless carriers (see Figure 4).

#240598

2013 IDC

FIGURE 4
Organizations' Mobile Security Solution Deployment Plans
Q.

Please indicate what plans your organizations has, if any, for deploying the following
technologies to address mobile security concerns.

n = 200
Source: IDC's U.S. Mobile Security Survey, 2013

U.S. enterprises will more likely address mobile security challenges with on-premise
software/hardware solutions rather than with services and SaaS. In particular,
enterprises will leverage features in existing infrastructure, mobile management
platforms, and general-purpose security platforms to secure mobile workforces. While
mobile-specific security products, such as mobile endpoint software, are being deployed
and considered, these are largely secondary to infrastructure-based technologies.

2013 IDC

#240598

However, mobile security services and mobile-specific security products (such as

mobile endpoint security software) are used, or are being evaluated, more frequently
by enterprises that have experienced a mobile-related data breach. Among breached
organizations, 45% have security services from mobile carriers deployed versus 33%
of non-breached organizations. Also, 60% of breached firms say they are evaluating
or plan to deploy mobile MSSP services in the next 1224 months, while only 43% of
non-breached firms had similar trials/plans.
Comparing deployed/planned solutions between BYOD and IT-controlled
respondents, the greatest disparities among deployment between these two
organization types included application containerization solutions (49% deployed in
IT-controlled environments; 34% deployed among BYOD firms).
IDC's interpretation of the data indicates that IT-controlled firms take measured,
planned approaches to mobility in terms of buying and deploying security
technologies, in addition to having policies around not permitting PMDs on corporate
networks. BYOD firms are, as their nature indicates, less restrictive and less
frequently deploy products to limit and secure access to networks and data. BYOD
firms are more likely to go mobile first, and "ask questions later," with regard to
deploying solutions for controlling and managing end-user devices. BYOD firms are
less likely to put up barriers to WLAN network access and far less likely to utilize
mobility identity, application management, and endpoint client security software
agents than IT-controlled firms.

Assessment of End-User Risk

Two questions in the survey measured how enterprise IT views the risk of mobile device
usage among the end-user population. Respondents were asked to show their level of
agreement from 1 to 5 (with 5 being strongly agree) to the following statements:
Increased usage of personal smartphones and tablets by employees at work
poses security risks to my organization.
Employees who use their personal smartphones for work purposes understand
the risks and are aware of proper security practices.
While only 25% of BYOD firms strongly agreed that increased usage of PMDs posed
a security threat, only 26.4% of BYOD firms strongly agreed that employees using
PMDs at work understood the risks. This indicates that these firms know there is an
inherent lack of awareness as to the risks of PMD usage, but these firms are probably
not supporting access to many critical applications or data sources for employees'
personal devices. In contrast, 46.7% of IT-controlled firms viewed PMDs as a risk, but
nearly 39% of firms also agreed that employees understood the risks involved (see
Figure 5). This indicates that IT-controlled firms, while restrictive in what devices are
allowed, may be doing a better job around overall in educating their workforces
regarding responsible device usage. BYOD firms appear to have a ways to go in this
respect, again, pointing to a "go mobile first, ask questions later" approach, as
described in the Security Product Choice for Enterprise Mobility section.

#240598

2013 IDC

FIGURE 5
Security Risks Caused by Increased Usage of Employees'
Personal Smartphones and Tablets
Q.

Indicate your level of agreement with the following statements on a scale from 1 to 5, with 1
being "strongly disagree" and 5 being "strongly agree." Increased usage of personal
smartphones and tablets by employees at work poses security risks to my organization.

Source: IDC's U.S. Mobile Security Survey, 2013

Awareness of risks regarding mobile devices also increased with the frequency of
mobile usage. Among mobile-oriented firms, 72% of firms agreed or strongly agreed
that their end users were aware of the risks regarding mobile device usage, whereas
only 44% of mobile-averse firms agreed/strongly agreed that their end users were
aware of the risks regarding mobile device usage. As mobile-averse organizations
become more mobile, a greater risk for data loss or breaches or security usage in
general may exist.
Larger organizations, both in terms of user population and number of locations, saw
greater risks regarding the use of PMDs than smaller firms. Among organizations with
more than 100 locations, 40% agreed that the increased use of PMDs poses a
security risk, while 20% of organizations with 1099 locations agreed with this.
However, regarding the number of employees, there was not much a difference
among small, medium-sized, and large enterprises regarding views on PMDs and
risk. A third of small enterprises strongly agreed that the increased use of mobile
devices introduce risk, and that frequency increased only slightly among mediumsized and large enterprises (34% and 36%, respectively).

Top Mobile Threats Leaky Apps and Data Loss

Enterprises, both BYOD and IT controlled, see a wide range of threats to their mobile
device deployments. Insecure or loosely secured privacy settings on mobile

2013 IDC

#240598

applications (i.e., social network collaboration or contact records applications) was the
most frequently cited threat among all survey respondents. This is a very real issue
for many enterprises as workers begin to integrate personal applications with
business contact lists and professional directories. Some social and productivity
applications have been known to surreptitiously upload users' entire contact lists or
databases of connections from other social media applications onto unknown servers.
Others can reveal potentially sensitive information such as the users' geolocation or
the identification number of the users' devices. These trends worry organizations as
potentially sensitive customer contact information, sales leads, or confidential
information may be leaked by end users without their knowledge.
The issue of insecure or loosely secured privacy settings was the most frequently cited
among BYOD firms, as 69.6% said this was a top threat to their mobile devices in their
organization. Only 53.3% of IT-controlled firms cited this as an issue; however, this
percentage could likely be attributed to the fact that IT-controlled firms disallow such
applications, which could be susceptible to unwanted contact uploading (see Figure 6).

FIGURE 6
Top Mobile Security Threats
Q.

What are the top security threats to mobile devices (whether personal or
employee owned)?

Source: IDC's U.S. Mobile Security Survey, 2013

10

#240598

2013 IDC

IT-controlled firms more frequently cited mobile malware as a top threat, with 68% of
these firms naming or citing this as a challenge. However, fewer than 60% of BYOD
firms said this was an issue. BYOD and IT-controlled firms cited equally the issue of
mobile device loss or theft as a threat. BYOD firms saw the intermingling of
employees' work and personal apps on mobile devices as an issue, with 39.2% of
such firms citing this as a challenge; however, only 30.7% of IT-controlled firms cited
this as an issue, again reflecting the habit of these organizations to tightly control
what apps and data reside on mobile endpoints.

Mobile App-Oplexy
As with many aspects of mobility and risk, an enterprise's profile correlates with how
an enterprise's IT organization views mobile applications and risk. Opinions vary
widely among IT-controlled and BYOD firms as well breached and non-breached
firms regarding apps such as social media, cloud storage, and photo sharing.
Not surprisingly, social media applications (Facebook, Twitter, LinkedIn) were the
predominant bogeyman among all types of enterprises. More than 70% of total
respondents, BYOD as well as IT controlled, cited these social media apps as a
threat. Closely following social media was cloud storage (Dropbox, Box.net, etc.).
Across the board, 59% of all enterprises cited cloud storage as a major threat. This
indicates that even BYOD firms, with more liberal polices around personal device
usage, realize the potential damage to sensitive data or inappropriate content
transiting from the enterprise to the cloud via employees' smartphones (see Figure 7).

2013 IDC

#240598

11

FIGURE 7
Information Security Risk for Organizations from
Noncorporate Mobile Applications
Q.

What types of noncorporate mobile applications pose the greatest risk to information
security in your organization?

Source: IDC's U.S. Mobile Security Survey, 2013

Remote PC access tools such as GoToMyPC or VNC for mobile devices are
actually viewed as more of a threat among BYOD firms (55%) versus IT-controlled firms
(44%); however, this stands to reason as IT-controlled firms are more likely to lock
down mobile devices and PCs from noncorporate remote access tools. However, it also
indicates that a trend exists in more open environments, where employees are using
personal smartphones as a way to access PCs and other machines behind their
corporate firewall. (Relative to this, BYOD firms also cited greater frequencies of
breaches in which unauthorized users access corporate applications from an
employee's mobile device than IT-controlled firms, or among all enterprises in general.)

12

#240598

2013 IDC

FUTURE OUTLOOK
From the data, we see a pattern that many enterprises are "backing into" securing
their mobile workforces with products designed for general-purpose IT security
(security gateways, NAC) or even network infrastructure in general (i.e., WLAN). This
speaks to the nature of mobility in the majority of enterprises BYOD or a mix of ITcontrolled and employee-owned mobile devices, which can access corporate data
and applications. Organizations that do mobility "for a living" (i.e., organizations that
have highly mobile workforces, which are relied upon to drive revenue and
productivity) are more likely to be IT controlled from a mobile device standpoint and
are also more likely to use mobile-specific security and management technologies,
such as mobile endpoint security agents.
The security approach enterprises will have to take with mobile employees, especially
the majority of BYOD-focused firms, will be more lateral than head-on; existing
technologies and infrastructures will have to be expanded and features added to
accommodate the BYOD trend in the enterprise.

ESSENTIAL GUIDANCE
Vendors of security products targeting mobile enterprises must have a clear
understanding of the mobility profile of their target customers and tailor the feature
sets, go-to-market strategy, and integration efforts around these solutions to match
customer needs. One-size-fits-all approaches will fall short of enterprises'
expectations and require customers to piece together solutions that work for their
mobile security needs. This is especially true for security product vendors with
mobile-targeted offerings, such as MDM/MAM or containerization platforms.
Service providers and MSPs must increase awareness of their mobile security
offerings among enterprises while differentiating and emphasizing the benefits of
services on top of product-based solutions. From the data, organizations do not see
services as a primary protection technology for their mobile workforces; however,
among organizations that have been breached or have high concerns about mobile
data and device loss/compromise, mobile security services particularly those from
wireless carrier are seen as a strategic backup solution for augmenting mobile
security infrastructure. Security SaaS solutions providers with mobile-focused
products must also emphasize advantages of a non-hardware/software and, in
particular, an agentless approach to mobile security, particularly among BYODfocused enterprises, which are the majority of customers.

LEARN MORE
Related Research
Worldwide Mobile Enterprise Security Software 20132017 Forecast and
Analysis (IDC #240014, March 2013)
Worldwide Security 2013 Top 10 Predictions (IDC #239424, February 2013)

2013 IDC

#240598

13

 Worldwide IT Security Products 20122016 Forecast and 2011 Vendor Shares:

Comprehensive Security Product Review (IDC #237934, November 2012)

Synopsis
This IDC study discusses the findings from the U.S. Mobile Security Survey regarding
threats posed by mobile devices and apps among BYOD and IT-controlled firms.
"Mobile devices and apps pose a great security risk in the eyes of most enterprise IT
security professionals," says Phil Hochmuth, program manager for IDC's Security
Products Research group. "At the same time, there is a general acceptance, or a
sense of inevitability, among IT professionals that mobile devices are here to stay
and that ultimately, end users will come to understand the risks involved with mixing
personal devices with corporate application and data resources."

Copyright Notice
This IDC research document was published as part of an IDC continuous intelligence
service, providing written research, analyst interactions, telebriefings, and
conferences. Visit www.idc.com to learn more about IDC subscription and consulting
services. To view a list of IDC offices worldwide, visit www.idc.com/offices. Please
contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or
sales@idc.com for information on applying the price of this document toward the
purchase of an IDC service or for information on additional copies or Web rights.
Copyright 2013 IDC. Reproduction is forbidden unless authorized. All rights reserved.

14

#240598

2013 IDC