The latest report from Ofcom, the UK communications regulator, has important news for every enterprise IT organisation: As of this year in the UK, the most popular device for accessing the Internet is the smartphone.
Specifically, the 2015 Communications Market Report found that 33% of Internet users in the UK consider smartphones their most important device for online access. Laptops remain important, but now trail at 30%.
What enabled the smartphone to overtake the long-popular laptop? Part of the answer is the widespread adoption of 4G networks, which enable rich media content such as video to be delivered with buffering. In the course of 2014, 4G subscriptions rose from 2.7 million to 23.6 million—a nearly tenfold increase.
Now that popular video content is available on smartphones, they have become our go-to devices. Two-thirds of UK adults own smartphones, and over half of these users describe themselves as ‘hooked’ on their devices. They are spending about two hours on their devices each day, on average. Those two hours can begin quite early in the day: about half of smartphone owners between the ages of 18 and 24 report checking their devices within 5 minutes of waking up.
Enterprises who ignore these trends do so at their own risk. While IT security for desktops and laptops remains important, now that employees are increasingly accessing business data on smartphones, smartphone security needs the same level of - if not more - attention. Surveys tell us, year after year, that many organisations have yet to define BYOD policies for their employees. Even fewer organisations offer security training for their BYOD (Bring Your Own Device) users.
The result is that these devices and the data they are storing and transmitting are at risk. And when you consider how and where smartphones are used, the risk of a breach is quite real.
Smartphones go everywhere. Small enough to be slipped into a pocket or purse, they travel even more broadly than laptops. Users access them continually, from that first groggy checking of email within 5 minutes of waking up to that late-night, scrolling through email after the dessert course.
These casual glances are convenient—and risky. Who really double-checks the Wi-Fi security in restaurants, pubs, and lobbies? When else is a user more likely to click on a phishing attack that may resemble a legitimate message?
The median time-to-click for an inbound phishing attack is now a mere one minute and 22 seconds, according to Verizon’s latest report on data breaches. Worse, Verizon discovered nearly one in four users take the bait, clicking on a phishing message. The fact that we’re continually skimming and clicking on our smartphones in environments where we're distracted surely contributes to these dismaying results.
Portability creates other risks, too. Many devices end up being lost or stolen. When not protected by rigorous passcodes and encryption, these stray devices can result in data breaches. Over a million smartphones were stolen in the U.S. in 2014 and about 15% of all data breaches are the result of devices being lost or stolen.
These are just some of the security risks created by the BYOD revolution.
Of course, this revolution brings benefits, as well. Through smartphones and tablets, employees can access email and IT services more easily than ever before. Employee productivity is up, as a result, even if most of that activity is due to employees accessing basic services like email after hours.
To ensure that these benefits outweigh the risks however organisations need to take action. Business content, ranging from financial data to healthcare records, is now mixed with personal content in a dangerous, click-before-you-think environment. As a result, enterprise IT organisations need to bring security not just to user accounts, but also to user devices. They need to bring rigorous IT practices and technologies—such as “secure containers,” access controls, AV scanning, audit trails, and more—to smartphones, while fitting into the casual 24/7 environment of mobile users.
The Ofcom report should be our wake-up call. It is time for enterprises to address the risks posed in this digital age by setting forth security policies and deploying enterprise-grade security solutions.