Ignorance, as those in IT security know, is not bliss. And, two new studies when viewed together show that consumer ignorance of the consequences of their actions coupled with enterprises' unawareness of their computing environment equal unacceptable risk.
See Also: Rethinking Endpoint Security
In a survey conducted by the information security association ISACA, many consumers, behaving like Alfred E. Newman of "What, me worry" fame, exhibited recklessness in deciding when to download location-based apps on their mobile smartphones and tablets. The other study, conducted by the educational and research organization SANS Institute, revealed that few organizations know the type of devices - especially mobile ones - that access corporate resources.
Well over half of consumers - 58 percent - using smart mobile devices employ location-based apps despite concerns about safety and third-party use of their personal information, according to ISACA. Forty-three percent say they don't read agreements when downloading mobile apps; 25 percent respond that the agreement language is unclear. A mere 8 percent of respondents say they don't download apps.
Location-based apps are popular: two-thirds say they use these applications at the same rate or more so than they did a year ago; only 10 percent use them less. More than half - 54 percent - contend the risk and benefit of location-based apps and services are appropriately balanced; 22 percent say the risk outweighs the apps' benefits, 17 percent say the benefits outweigh the risk.
Still, at least when asked, respondents express some anxieties over location-based apps: strangers knowing too much about the individual's activities was picked by one-quarter of the respondents as another quarter chose individual information being shared and used for marketing purposes as the basis for their fretfulness. Twenty-one percent picked personal safety as cause for concern; 12 percent worried about government knowing too much about their activities.
SANS, in a mobility security survey to be released on April 12, reveals that just 9 percent of organizations are fully aware of the devices accessing corporate resources, while half feel only vaguely or fairly aware of the mobile devices accessing their resources. Most shocking: more than 60 percent of surveyed organizations say they let staff bring their own devices to work.
Many organizations unduly place themselves at risk by allowing access to their computers by mobile devices used by employees who download apps without understanding their consequences. That doesn't seem like a smart information risk management policy; actually, it doesn't seem like a policy at all.