Feeds

Securing User Desktops and Mobile Devices

1. ABOUT YOU AND YOUR ORGANISATION

To begin with, we need to know a bit about you so we can make sense of the survey results...

1.1 Which of the following best describes your role?

1.2 How many people work in your organisation?

1.3 How much would you say the following apply to your organisation?

 
Fully
Partially
Not at all
Unsure
We are subject to a lot of regulation
We have a high proportion of 'knowledge workers' *
We have a high proportion of 'mobile workers'
We have a strong culture of user empowerment
Our workforce is generally very security conscious
Senior managers in the organisation take IT security seriously

* A 'knowledge worker' is someone who either produces or consumes a lot of different types of information to do their job - e.g. managers, consultants, engineers, sales staff, support staff, etc.

1.4 Which of the following best describes your organisation's core business?

1.5 Which of the following applies to you in your current position?

1.6 Which aspects of end user computing are you involved in implementing or supporting directly?

1.7 Would you consider yourself a particular fan or advocate of the following?

 
Strong advocate
Positive view
Neutral / pragmatic stance
Negative view
Strong critic
Unsure
Windows XP
Windows 7
Windows 8
Desktop Linux
Mac
iDevices
Android devices

2. PLATFORM AND OS LEVEL SECURITY

2.1 Generally speaking, when you consider the level of use, together with the associated risk or threat, how much is securing the following types of device a priority for your organisation?

 
High
5

4

3

2
Low
1

Unsure
Full function desktops
Lightweight tablets (iPads, Android devices, Windows RT, etc)
Smartphones

2.2 How much experience do you have of security in relation to the following operating systems?

 
A lot
Some
Little or none
Desktop Linux
Windows 8 (Pro)
Windows 7
Windows XP
Windows RT
Windows on smartphones
Mac OS X
iOS on iPads
iOS on iPhones
Android on tablets
Android on smartphones
BlackBerry 10 devices
Older BlackBerries
Other desktop/mobile OS (please specify)

2.3 How would you describe these platforms in terms of their security characteristics?

 
Inherently secure
Easy to secure
Hard to secure
Don't know enough to say
Desktop Linux
Windows 8 (Pro)
Windows 7
Windows XP
Windows RT
Windows on smartphones
Mac OS X
iOS on iPads
iOS on iPhones
Android on tablets
Android on smartphones
BlackBerry 10 devices
Older BlackBerries
Other desktop/mobile OS (please specify)

2.4 How much do the following characteristics of an OS influence how much you use it in your organisation?

 
Big influence
Some influence
Little or no influence
Unsure
Application availability
How easy it is to secure
How easy it is to administer
How easy it is to support
User preference
Other (please specify)

2.5 What are your thoughts on manufacturers embedding security features/hooks into the physical hardware of devices, e.g. at a chipset level?

2.6 Please can you elaborate on your thoughts here?

 

3. BASIC ANTI-MALWARE AND FIREWALL

3.1 When considering malware, how much of a threat or potential threat would you associate with the following?

 
High
Medium
Low
None
Unsure
Infection via the Web
Infection via email
Infection via USB/removable media
Infection via targeted attacks
Other (please specify)

3.2 Does your organisation install third party anti-malware on the following platforms as standard?

 
Yes
No, but we should do
No - platform doesn't need it
No - the level of threat doesn't warrant it
Unsure or don't use
Desktop Linux
Windows (full function machines)
Windows RT
Windows smartphones
Mac OS X
iOS on iPads
iOS on iPhones
Android on tablets
Android on smartphones
Blackberry devices
Other (please specify)

3.3 What about third party firewall software, do you install that as standard on the following platforms?

 
Yes
No, but we should do
No - platform doesn't need it
No - the level of threat doesn't warrant it
Unsure or don't use
Desktop Linux
Windows (full function machines)
Windows RT
Windows smartphones
Mac OS X
iOS on iPads
iOS on iPhones
Android on tablets
Android on smartphones
Blackberry devices
Other (please specify)

3.4 Thinking about where protection should be implemented, is it any more important for the following to reside on the client or in the network?

 
Most critical in the network
Most critical on the client
Critical in both places
It varies
Unsure
Anti-malware
Firewall

3.5 Do you use cloud based anti-malware or other content filtering services?

3.6 Do you have any thoughts on cloud based anti-malware and other content filtering services, e.g. advantages, disadvantages, practicalities etc?

 

4. DATA LEVEL SECURITY

4.1 Do you use so called 'data loss protection solutions' (DLP) in the network to detect and either block or monitor users sending sensitive/inappropriate content outside of the organisation?

4.2 If yes, how would you characterise your experience with network based DLP?

4.3 How much is local data encryption implemented on the following types of device?

 
For all or most users
For certain groups of users only
Little or no use
Unsure
Fixed desktops
Laptops/notebooks/full function tablets
Lightweight tablets (iOS, Android, etc)
Smartphones
Removable media (USB sticks, SD cards, etc)

4.4 Is there a general preference in your organisation towards encryption of whole disks/devices, or selected folders and files?

 
Whole disk/device encryption preferred
Folder/file level encryption preferred
Both have their place
Don't see a big role for encryption
Unsure
Fixed desktops
Laptops/notebooks/full function tablets
Lightweight tablets (iOS, Android, etc)
Smartphones
Removable media (USB sticks, SD cards, etc)

4.5 How much do the following limit the degree to which you implement encryption?

 
Primary factor
Secondary factor
Not a factor
Unsure or N/A
No strong requirement
Cost of software required to implement
Time and effort needed to implement
Support overhead once in place
Key management in particular
Other (please specify)

4.6 Do you have any further thoughts on the use of encryption?

 

5. PROTECTING THE BUSINESS FROM USERS, AND USERS FROM THEMSELVES

5.1 When considering the actions of users, how much of a risk are the following?

 
High
Medium
Low
None
Unsure
User ignorance / lack of awareness
User mishap / thoughtlessness
User neglect / irresponsibility
Malicious intent
Other (please specify)

5.2 How much do you impose restrictions on what users can do with the following types of device, e.g. in terms of tampering with important configuration settings, inappropriate use of removable storage, etc?

 
For all/most users
For some users
Not considered necessary
Not considered practical
Unsure
Fixed desktops
Laptops/notebooks/full function tablets
Lightweight tablets (iOS, Android, etc)
Smartphones

5.3 Do you specifically implement application black-listing in relation to these devices?

 
For all/most users
For some users
Not considered necessary
Not considered practical
Unsure
Fixed desktops
Laptops/notebooks/full function tablets
Lightweight tablets (iOS, Android, etc)
Smartphones

5.4 And what about application white-listing, so that only approved software can be used?

 
For all/most users
For some users
Not considered necessary
Not considered practical
Unsure
Fixed desktops
Laptops/notebooks/full function tablets
Lightweight tablets (iOS, Android, etc)
Smartphones

5.5 Do you have any thoughts on the usefulness and practicality of application black-listing or white-listing?

 

5.6 How much do the following hold you back from putting more restrictions in place on what users can do with devices?

 
Primary factor
Secondary factor
Not a factor
Unsure or N/A
No strong desire or need to constrain users
Cost of software required to implement
Time and effort needed to implement solutions
Support overhead once in place
Push-back from users
Other (please specify)

5.7 Regarding so-called BYOD, what percentage of your employees currently do the following?

 
None or hardly any
Less than 5%
6 to 10%
11 to 25%
26 to 50%
51 to 75%
More than 75%
Unsure
Use a personally-owned phone for making business calls, receiving an allowance or claiming back call-costs via expenses
Use a personally-owned smartphone or tablet to connect to business applications or data over the internet (including via guest-style internet access at the office)
Use a personally-owned smartphone or tablet to gain full, secure, ‘behind the firewall’ access to the corporate network
Use a full-spec personally-owned PC or Mac to connect to business applications or data over the internet (including via guest-style internet access at the office)
Use a full-spec personally-owned PC or Mac to gain full, secure, ‘behind the firewall’ access to the corporate network
Use a personally-owned smartphone, funded by the company, as a substitute for a corporate device
Use a personally-owned tablet, funded by the company, as a substitute for a corporate device
Use a full-spec personally-owned PC or Mac, funded by the company, as a substitute for a corporate device
Other form of BYOD (please specify)

5.8 What forms of BYOD do you see as being particularly prominent over the coming couple of years?

 

5.9 With regard to security, should personal devices used for work be treated any differently to business-owned devices?

5.10 Can you elaborate on your answer here?

 

5.11 Do you see a role for the following to enhance end user computing security?

 
Already using
Likely to use
Would consider
Not of interest
VDI (Virtual desktop infrastructure)
Application streaming
Client side virtualisation on desktops/laptops
Mobile device virtualisation
Mobile device partitioning/containerisation
Mobile device management (MDM) solutions

6. AND FINALLY, WHAT ABOUT MANAGEMENT?

6.1 How would you describe your facilities for monitoring and managing security in relation to the following across anti-malware, firewall, data loss prevention, application control, and the other areas we have discussed?

 
Comprehensive and well-integrated
Comprehensive but disjointed
Generally quite patchy
Very weak
Unsure
Windows desktops and laptops
Non Windows desktops and laptops
Mobile devices (tablets and smartphones)

6.2 In an ideal world, how desirable would it be for your security management tools to be joined up across the following?
By 'joined up' we mean that you can define/implement policy, and administer/support devices/configurations, in a centrally coordinated manner

 
Highly
desirable
5


4


3


2
Not
interested
1


Unsure
Windows and non-Windows desktops/laptops
Physical and virtual desktops
Different types of mobile device (iOS, Android, Windows, etc)
The desktop and mobile environments in general
Business-owned and personal devices
The server side and client side of the equation
Application level and platform/infrastructure level security

6.3 How well are your security management tools actually joined up across these areas at the moment?
By 'joined up' we mean that you can define/implement policy, and administer/support devices/configurations, in a centrally coordinated manner

 
Fully
joined up
5


4


3


2
Not at all
joined up
1


Unsure
Windows and non-Windows desktops/laptops
Physical and virtual desktops
Different types of mobile device (iOS, Android, Windows, etc)
The desktop and mobile environments in general
Business-owned and personal devices
The server side and client side of the equation
Application level and platform/infrastructure level security

6.4 Zooming out, how much emphasis is there on the following in your organisation?

 
High
Medium
Low
Alien concept
Security analytics
Detecting and defending against APTs
Threat intelligence data from suppliers
Training of IT staff on security matters
Training of end users on security matters
Executive level awareness of security issues
Proactive investment in IT security

6.5 And as you invest, or continue to invest in security solutions, how much emphasis will you place on the following?

 
High emphasis
5

4

3

2
No emphasis
1

Unsure
Minimising the number of point solutions in favour of integrated suites
Minimising the number of security solution suppliers we work with

7. BEFORE YOU GO

7.1 To finish off, how much would you agree or disagree with the following statements?

 
Strongly agree
Agree
Neutral
Disagree
Strongly disagree
Our current end point security measures are meeting immediate needs effectively (i.e. doing the job)
Our current end point security measure are meeting immediate needs efficiently (WRT cost/overhead)
We are well set up to accommodate BYOD from a security perspective
We are in a good position to cope with the way in which our end user computing security needs are likely to evolve over the next 3 years

7.2 Do you have any last thoughts on security matters that you would like to share with us before you go?