The issue will only become more prevalent: In 2011, 41% percent of workers used personal technology to access business applications, up from 31% in 2010, according to a March report released by IDC and Unisys. While the study included personal computers, a Nielsen survey found that consumers who owned a tablet were less likely to use the traditional computer.
In the face of this consumer-driven chaos, businesses need to stop focusing on devices out of their control, says Kevin Mahaffey, chief technology officer for mobile security firm Lookout.
"A big part of the security question comes down to: How do you deal with the dual-role devices that are consumer devices on the weekend and business devices during the week?" he says.
A piece of the answer to consumer-driven IT is to look beyond the device used to interact with data and focus on the data itself, says Andrew Jaquith, a former Forrester Research analyst and the chief technology officer of Perimeter E-Security.
"The real battle for mobile devices is not on security, but on privacy and the corporate equivalent of privacy, which is data leakage," Jaquith says.
Enterprise IT needs to keep a close eye on five trends in mobile security that can help companies tame the chaos resulting from the consumerization of IT.
1. App stores go local
Because the main, and in most cases, sole distribution point for mobile applications is an app store or marketplace, much of the devices' security relies on the vetting process at those distribution points. Rather than the traditional Internet of websites and servers, mobile devices tend to rely on applications to download and view data and app stores to provide the applications.
"Because we are dealing with the age of the app Internet, it is really easy to download on an impulse any app that you want, and that can be dangerous," Jaquith says.
Companies need to focus on using app stores that provide the best review process. For larger companies, such as IBM, implementing their own app stores for employees makes sense. IBM created its app store, dubbed Whirlwind, to limit employees to downloading certain applications based on their corporate role. Smaller companies can rely on software from app-store suppliers, such as Apperian.
2. Syncing is a backdoor
Companies have had to worry about data leaving the company through USB memory sticks or email. Now, add file syncing and cloud services to that list as well.
[ Improve your mobile security. Review 10 Mobile Security Vendors To Watch ]
"Enterprises need to worry about the worker in Starbucks," says Ahmed Datoo, chief marketing officer at mobile-device management firm Zenprise. "Tablets allow people to do work outside of the office ... pulling in business intelligence to wherever they are working."
While data sharing services, such as DropBox, are aimed at consumers, workers widely use the technology to transfer data to and from a host of devices. Companies need to worry about whether that data is secure. Earlier this year, a vulnerability in DropBox could have allowed any user the ability to access other users' data on the same server.
3. Patching without permission
Companies used to being in control now have to give up managing another aspect of their IT infrastructure: patching.
In many cases, vulnerabilities in smartphones take a long time to patch because of the additional steps in the supply chain. A vulnerability found by a researcher has to be reported to the software maker, which produces a patch. On desktop systems, the patches could then be distributed to end users' systems. On smartphones, however, the updated software has to be integrated into the phone manufacturer's software and then tested by the carrier.
All in all, the process can add months onto the patch cycle, and there is very little a company can do about it.
"The fundamental problem is that there are too many cooks in the kitchen," says Timothy Vidas, a PhD student in electrical and computer engineering department at Carnegie Mellon University. "There are a lot of ways to shorten the cycle, but it is not in everyone's interest."
In a paper at last month's USENIX Security Conference, Vidas analyzed the Android platform and found that, among other factors, the delay in patching a known vulnerability put such systems at risk.
4. Mobile VPNs are risky
Companies that are worried about data security may assume that adding a virtual private network (VPN) to a mobile device makes sense.
Since companies typically try to secure an entire laptop system, the encrypted communications offered by a VPN make sense. With smartphones, tablets, and other consumer-owned devices, companies cannot attest to the security of the device, so connecting them via a VPN to a corporate network is a danger, says Zenprise's Datoo.
"In the world of consumerization, one of the big challenges is that the IT department can no longer dictate what applications a person can have on the devices," he says. "Employees might have these apps on their device, and they have full access to the network through the VPN."
5. Life's short with no support
Finally, the churn of new devices means that the support lifecycle of smartphones and tablets will be shorter than businesses are used to with desktop and laptop systems.
Companies need to be ready for workers who bring in mobile devices that are no longer patched for even dangerous vulnerabilities, says CMU's Vidas.
"With Android, the phones are perfectly capable even after two years, but manufacturers are only required to support the phones per the Android contract for 18 months," he says. "That's less than the length of the contracts that the consumer signs."
Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.