Sponsored by
Contents Introduction... 3 Rapid Adoption of Enterprise Mobility Continues... 4 Data Security Biggest Challenge When Implementing BYOD Policies... 5 Risk Reduction Policies Are a High Priority for Organizations Seeking to Mitigate Mobile App Security Risks... 6 Most Organizations Are Not Taking Action to Block Risky App Behaviors... 7 Conclusion... 9 Infographic... 10 Survey Background... 11 Methodology and Sampling... 11 Survey Demographics... 11 Location of Respondents... 11 Respondents Vertical Market... 12 Software Licensing and Provisioning Research at IDC... 15 About Flexera Software... 15 The BYOD Trojan Horse 2
The BYOD Trojan Horse: Dangerous Mobile App Behaviors & Back-Door Security Risks A Report by Flexera Software with input from IDC Introduction In the aftermath of the Sony hacker incident, IT Security once again is in the spotlight. Connected organizations are being especially vigilant against malicious players seeking to gain entrance into their networks and do harm. With the rapid infusion of mobile devices within the enterprise and the growing adoption of Bring Your Own Device (BYOD) mobility is also fast becoming another focal point for containing security risk. Shoring up networks to defend against mobile hacker threats is certainly a high IT priority. But what about less obvious risks posed by mobile devices and the apps running on them? Consider a seemingly innocuous mobile phone flashlight app. Recently a Federal Trade Commission lawsuit revealed that a flashlight app maker was illegally transmitting users precise locations and unique device identifiers to third parties, including advertising networks. Or consider the Environmental Protection Agency s (EPA) embarrassment occurring recently when an employee playing on a Kim Kardashian Hollywood app tweeted out to the EPA s 52,000 Twitter followers, I m now a C-List celebrity in Kim Kardashian: Hollywood. Come join me and become famous too by playing on iphone! What happened? The employee was using the app on her BYOD device. Unbeknownst to the employee, the app had the ability to automatically access the phone s twitter account and tweet out messages when certain game thresholds were reached. Unfortunately for the EPA the BYOD device was connected to the EPA s official twitter account not the employee s. What s the lesson here? Mobile app security risk is not limited to malevolent hackers and unfriendly governments. Threats to corporate data and reputation can be hidden like a trapdoor in a Trojan horse in the most seemingly innocuous apps, and can be unleashed on the organization by the most well-intentioned employee. Because of these hidden risks, we wanted to understand whether enterprises are aware of the risky behaviors associated with mobile apps that could compromise data security, and if so, what they re doing about it. The BYOD Trojan Horse 3
Bring-Your-Own - Device (BYOD) policy Mobile device management solution (MDM) Mobile application management solution (MAM) Rapid Adoption of Enterprise Mobility Continues According to our survey, enterprises are rapidly implementing the policies and infrastructure necessary to support broad employee access to mobile devices and applications. For instance, 29 percent of respondents have already implemented a mobile device management solution, 20 percent are doing so now, and another 27 percent plan on doing so within two years. 17 percent of respondents have already implemented a mobile application management solution, 15 percent are doing so now, and another 32 percent plan on doing so within two years. From a security perspective, BYOD policy implementation is an essential counterpart to mobility adoption. According to the survey, 28 percent of respondents have already implemented a BYOD policy, 20 percent are doing so now, and another 23 person plan on doing so within two years. Indicate your organization s plans to implement any of the following IT Services: 120% 100% 80% 60% 40% 20% 0% 30% 25% 23% 27% 20% 20% 28% 29% 36% 32% 15% 17% No plans to implement Will implement within 12-24 months Implementing now Already implemented The BYOD Trojan Horse 4
Software license tracking, management and optimization for mobile devices Data security Lack of knowledge of mobile application behavior in the enterprise Keeping applications for devices updated and ensuring compatibility with current IT environment Creating and enforcing a BYOD policy We are not implementing BYOD but plan on doing so within 12-24 months We are not implementing BYOD and have no plans to Data Security Biggest Challenge When Implementing BYOD Policies The BYOD policy memorializes an organization s approach to mobility, and among other things, the rules employees must follow in order to access corporate data and systems from their mobile devices. According to the survey, organizations face a variety of challenges around BYOD policy implementation. Not surprisingly the largest percentage of respondents 71 percent say ensuring data security is one of the biggest challenges they face around implementing BYOD policies. 43 percent say creating and enforcing the BYOD policy counts among their biggest challenges, and another 43 percent say software license tracking, management and optimization of mobile devices are significant challenges. What are the biggest challenges your organization faces implementing BYOD policies? 80% 70% 60% 50% 40% 30% 20% 0% 43% 71% 26% 40% 43% 11% 14% The BYOD Trojan Horse 5
User education Policies that block risky app behaviors App containerization and wrapping Restricting access to public store apps We don t have policies blocking risky app behaviors We don t have policies blocking risky app behaviors but we plan on implementing them within the next 12-24 months Risk Reduction Policies Are a High Priority for Organizations Seeking to Mitigate Mobile App Security Risks Given respondents accelerating enterprise adoption of mobility, their broad concerns around security, and broad adoption of BYOD policies as mechanisms for controlling risk we wanted to examine how far those policies go. Do they reflect a comprehensive awareness of the less obvious risks associated with mobile app behaviors that could serve as a Trojan horse, allowing hidden risk to enter the enterprise? According to the survey, a sizeable minority of enterprises are at least aware mobile apps can exhibit risky behaviors and they re taking some action. 47 percent are implementing BYOD policies to block risky mobile app behaviors. Another 22 percent plan on implementing those policies within two years. User education is also an important tool that 50 percent of enterprises are using to mitigate mobile app security risks. How is your organization mitigating the risks associated with mobile apps? 60% 50% 40% 50% 47% 30% 20% 27% 27% 18% 22% 0% The BYOD Trojan Horse 6
Most Organizations Are Not Taking Action to Block Risky App Behaviors While a majority of respondents are or plan on instituting policies that prohibit risky app behaviors, in practice most are not taking action to enforce those policies. For instance, key to enforcing policies against risky app behaviors is knowing what risky behaviors should be prohibited in the first place. Do features that allow the app to access a mobile device s GPS chip constitute risky behavior? What about features allowing an app to access and post to social media apps, or those allowing an app to report user and device data back to the app producer? Once risky behaviors are identified, have organizations identified the specific apps exhibiting those behaviors for the purpose of enforcing their BYOD policy? From blocking the app altogether to putting it in a container to protect the corporate network from a prohibited behavior an organization cannot enforce a policy until it has identified the type of behavior constituting a threat, and the apps causing those threats. According to the survey, most organizations 61 percent -- have not even identified which app behaviors they deem risky. Likewise, a majority of organizations 55 percent have not identified specific mobile apps that exhibit risky behaviors. Has your organization identified which mobile app behaviors it deems risky? 61% 39% Yes No Has your organization identified specific mobile applications? 55% 45% Yes No The BYOD Trojan Horse 7
Improved employee efficiency/productivity Improved employee satisfaction Lower IT infrastructure, device and support costs Lower enterprise application risk Employee access to more cutting-edge, upto-date devices We ve implemented BYOD but have not achieved the benefits we anticipated Organizations Are Not Realizing Significant Risk Reduction from their BYOD Policies As noted earlier, BYOD policies are only as effective as the steps organizations take to monitor and enforce those policies. For instance, once organizations understand which risky app behaviors are prohibited, it must then test those apps allowed onto BYOD devices in order to understand which ones exhibit prohibited behaviors. In light of the survey results, which indicated that only a minority of respondents have identified risky app behavior and risky mobile apps, it is not surprising that most organizations likewise report that they are not realizing significant risk reduction from their BYOD policies. Only 16 percent cite lower enterprise application risk as a benefit experienced as a result of their BYOD policy. If you ve already implemented BYOD at your organization, what benefits have you experienced? (check all that apply) 60% 50% 40% 30% 20% 0% 43% 55% 41% 16% 26% 17% The BYOD Trojan Horse 8
Conclusion Enterprises are accelerating their adoption of mobile devices as a critical component of the IT mix. And as they do so, security naturally is a high priority. Organizations are broadly implementing BYOD policies to shore up their security especially in light of concerns about the risky behaviors mobile apps are capable of that can threaten sensitive corporate data, vulnerable networks and reputation. However enterprises still have a long way to go to take the actions necessary to enforce their policies. Organizations are still largely unaware of the specific behaviors mobile apps are capable of. Moreover, most enterprises have still not taken action to block apps that exhibit those risky behaviors violating their BYOD security policies. It is not surprising, therefore, that while organizations do report many benefits resulting from BYOD lower application risk is not one of them. The BYOD Trojan Horse 9
Infographic The BYOD Trojan Horse 10
Survey Background This report is based on the 2015 Application Usage and Value survey, conducted by Flexera Software with input from IDC s Software Pricing and Licensing Research division under the direction of Amy Konary, Research Vice President - Software Licensing and Provisioning at IDC. This annual research project looks at software licensing, compliance and installation trends and best practices. The survey reaches out to executives at software vendors, intelligent device manufacturers as well as the enterprises that purchase and use software and devices. Methodology and Sampling The data contained in this report is based on three Application Usage and Value surveys, one targeted at independent software vendors (ISVs), one targeted at intelligent device manufacturers, and one at end-user organizations that consume enterprise software. More than 583 respondents participated, including executives and IT professionals from 264 software vendors, 172 hardware device manufacturers and 147 enterprise organizations. Survey Demographics Location of Respondents Of the 583 respondents to the survey, 53 percent reported their division headquarters as being located in the United States. 6 percent were from India, 4 percent from the United Kingdom, 4 percent from Australia & New Zealand, 3 percent from Germany and 1 percent from France. The BYOD Trojan Horse 11
Respondents Division Headquarters 1% 1% 1% 1% 1% 1% 1% 1% 0% 1% 1% 2% 3% 3% 4% 6% 53% United States India United Kingdom Germany Australia Italy Canada New Zealand France Netherlands Brazil China Finland Mexico Pakistan Sweden Croatia Respondents Vertical Market Respondents fell across a wide array of vertical markets. With respect to Enterprise Respondents, 20 percent were from the Business/IT Consulting Services industry, 12 percent from the Government/Public Sector and 10 percent were from the education, Financial Services, healthcare, Oil/Gas/Utility industries respectively. The BYOD Trojan Horse 12
Which of the following best describes your organization s vertical market? 20% 2% 3% 6% 12% Automotive Aerospace/Defense Consumer Goods Government/Public Sector Education 7% Financial Services Healthcare Oil/Gas/Utility Technology Manufacturing Business/IT Consulting Services With respect to software vendor respondents, 17 percent were from the financial industry, 16 percent from consumer, and 13 percent from Healthcare/Medical industry. Which of the following best describes the type of enterprise software your company develops? Electronic Design Automation (EDA) 6% 6% 16% 2% 13% Human Resources Management (Including Performance, Payroll and Talent Management) Healthcare/Medical Financial (Including Accounting, Billing, Forecasting) Enterprise Resource Planning (ERP) Customer Relationship Management (CRM) Product Lifecycle Management (PLM) 2% 11% 5% 8% 7% 17% Business Intelligence Database Management (Including Master Database Management) Project Management Retail Consumer With respect to hardware device maker respondents, 23 percent are from the telecommunications/network equipment providers industry, 20 percent from the computer The BYOD Trojan Horse 13
equipment and peripherals space, and 20 percent from the industrial/manufacturing automation space. Which of the following best describes your organization s vertical market? Telecommunications/Network Equipment Providers 12% 5% 4% 6% 23% Computer Equipment and Peripherals Industrial/Manufacturing Automation Building Automation Healthcare/Medical Devices 20% 20% Electronic Test and Measurement Equipment Automotive (Including Infotainment) Consumer Electronics (Including Home Automation) The BYOD Trojan Horse 14
Software Licensing and Provisioning Research at IDC IDC's global Software Licensing and Provisioning research practice is directed by Amy Konary. In this role, Ms. Konary is responsible for providing coverage of software go-to-market trends including volume license programs, evolving license models, global price management, and licensing technologies through market analysis, research and consulting. In her coverage of software maintenance, subscription, electronic software distribution and licensing technologies, Ms. Konary has been instrumental in forecasting future market size and growth. Ms. Konary was also the lead analyst for IDC's coverage of software as a service (SaaS) for eight years prior to focusing exclusively on pricing, licensing, and delivery. International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the information technology, telecommunications, and consumer technology markets. For more information about IDC, please see www.idc.com About Flexera Software Flexera Software helps application producers and enterprises increase application usage and the value they derive from their software. Our next-generation software licensing, compliance and installation solutions are essential to ensure continuous licensing compliance, optimized software investments and to future-proof businesses against the risks and costs of constantly changing technology. Over 80,000 customers turn to Flexera Software as a trusted and neutral source for the knowledge and expertise we have gained as the marketplace leader for over 25 years and for the automation and intelligence designed into our products. For more information, please go to www.flexerasoftware.com. Flexera Software, LLC United Kingdom (Europe, Australia (Asia, For more locations visit: (Global Headquarters) Middle East Headquarters): Pacific Headquarters): www.flexerasoftware.co +1 800-809-5659 +44 870-871-1111 +61 3-9895-2000 +44 870-873-6300 The BYOD Trojan Horse 15