With the introduction of GDPR in just over 3 months, we’re keen to learn from mobility vendors what has changed in their engagement with enterprise clients around mobile security in the last year. Are enterprises aware of GDPR and if so, what are they doing to protect mobile workers and mobile devices from a data breach? Today we analyze the state of mobile workers today and the repercussions on GDPR.
GDPR, game changer
In Western Europe, more than half of the total workforce in 2017 had flexible workstyles, i.e. not completely desk-bound, an increase of 5.7% year on year. Interestingly, and despite the growing trend of mobile workers, mobile strategies are rarely underpinned by a sound security and policy framework. This alarming fact is already violating one of the core principles of GDPR (Article 25) “data privacy by design and by default”.
Our surveys show that freemium mobile security solutions, for example endpoint threat management bundled with purchases of mobile devices, are most common. Only about 1/3 of companies have deployed robust enterprise mobility management solutions (EMM or Mobile Identity Management). As a result, it’s not surprising that IT departments only grant access to sensitive information to less than half of their current mobile workforce. Do we believe that the other half has no access rights? Actually they have, through Shadow IT, which implies that the risk exposure of many companies is worrying. With many cloud applications and data being held and accessed from beyond corporate firewalls, the likelihood of a security breach is at all times high.
However, IDC believes that Shadow IT is entering a new era with GDPR. Admittedly, IT departments struggle to keep pace with the innovation in mobility and so they justify Shadow IT, but they want at all costs that the latter is controlled and security enabled. This is not just a technology effort but mostly an organizational win… Wish them good luck!
State of the Art in Mobility
What’s “State Of The Art” (SOTA) in Enterprise Mobility?
GDPR does not prescribe SOTA but enterprises must “take [it] into account” (Article 32) when deciding what to do. Essentially, what this means is that IT departments have to implement mobile technologies that are appropriate to their risk as well as justify their decisions in case of a data breach.
Interestingly, our surveys show that SOTA for many companies is concentrated in two technologies, threat management and data encryption. This is a good start, and the media deserves credit for such focus on preventing malware and hackers, but firms are paying little attention to today’s largest threat, i.e. to “insider threats”. Whether intentional or not, insider threats count for the majority of mobile security breaches today.
Given the above, IDC believes SOTA in Enterprise Mobility require the following solutions:
- Data Loss Prevention technologies, such as encryption, endpoint threat management and policy enforcement solutions. With them, access to sensitive information can be denied if the security of a mobile device is compromised.
- Mobile Identity Management, so that only authorized mobile workers are granted access, “entitlement”, to corporate data.
- Audit trails supporting the forensic investigation in the event of a breach
GDPR Mobile Security by Numbers
IDC’s forecast shows that the GDPR-driven mobile security software market is dynamic, growing at a compound annual growth rate (CAGR) of 54% from 2016 to 2021 period. But, while top-line growth is strong, there are different dynamics across the various sub-segments.
For example, early demand is expected to come from the mobile identity and access management (MIAM) segment. As a small market segment, and given the fact that controlling access to personal data is called out within the regulation text, MIAM represents a ‘quick win’ for those seeking momentum to ‘kick-start’ a compliance programme.
Meanwhile, longer-term growth is expected from mobile security and vulnerability management (MSVM). With enterprises seeking a more strategic grasp of compliance monitoring and policy enforcement as GDPR maturity evolves, demand for tools such as enterprise mobility management (EMM) will help drive growth later in IDC’s forecast.
GDPR is a Journey
The 25th of May 2018, the point where GDPR becomes enforceable, provides a clear target compliance to be achieved. However, it is critical for organisations to recognise that GDPR compliance is not a one-off project. Rather, it must be an ongoing and evolving change process.
IDC believes GDPR will drive enterprises to continually evolve their personal data handling tools, metrics, skills and culture. In directing organisations to “take into account the state of the art”, a concept that is in constant flux, it is implicit that measurement and change must be ongoing. Thus, GDPR compliance can be likened to a journey rather than being a destination.
This ongoing nature of GDPR compliance is further demonstrated through the requirement that personal data processing is private and secure “by design and by default”. IDC interprets this as a catalyst for personal data privacy and security must become ‘business as usual’. This then becomes a question of company culture, not just policy enforcement.
GDPR and Mobile Security are covered in IDC’s study “Western Europe GDPR-Driven Enterprise Mobile Security Software Forecast, 2017-2021”