Striking a Balance between Productivity and Risk

MOBILE SECURITYIN GERMANY 2015

Executive BriefSponsored by Axway IDC Multi Client Project

Table of contentsIntroduction       01

Page01 Introduction

Trends and Developments in Germany      02-11Page02 The use of mobile technologies gives rise to new targets and methods of attack03 A holistic mobile security concept is essential04 Container solutions are not only attractive for BYOD scenarios as an extra security layer 05 Various concepts can improve mobile app security06 Therightapproachtoconsumerfilesharingtools:Stoporsecure,whichdoyoudo? 06 Wearables and biometric criteria have taken multi-factor authentication to the next level 07 Growing focus on language encryption and secure messengers to secure mobile communication07 Organizationalbestpractices:Usertrainingisthemosteffectiveapproach 09 Conclusion09 IDC recommendations 11 Recommendations for users by users11 Methodology

Axway case study: CETREL, a SIX Company      12-13Page12 Client Details12 Client Requirements13 SolutionProfile13 Project Highlights13 Client Comments on the Project

Interview with Markus Mayer, Axway   14

Author: Mark Alexander Schulte, Consultant & Project Manager, IDC

© IDC Central Europe GmbH, 2015

MOBILE SECURITYIN GERMANY 2015

Mark Alexander Schulte

Consultant&ProjectManager,IDC

Introduction

1

Putting in place holistic mobile security is no easy task for companies. The use of various mobile operatingsystems,increasedprivateandbusi-nessuseofdevices,agrowingnumberofsmartdevices,ahighlevelofinnovativedynamismand new attack scenarios targeting mobile IT result in greater complexity when protecting data. So it is vital that companies face up to securing their mobiledevices,appsandinformationand minimize the risk of information loss through appropriate security concepts and solutions. Com-prehensive mobile security must be ensured without compromising users' pro-ductivity when they use smartphones,tabletPCsand apps etc.

In May 2015 IDC conducted a survey of 243 IT officersanddepartmentaldecision-makersfromGerman companies with more than 100 employees to gain a better appreciation of the threat potential andrequirements,measuresandplanstosecuremobile technologies in organizations. A particular focuswasplacedontheviewsofITofficersanddepartmental decision-makers on the subject of security.Thekeyfindingsofthe'MobileSecurityin Germany 2015' survey are summarized below.

2

Mobile Security

Trends and Developments in Germany

The use of mobile technologies gives rise to new targets and methods of attackThe growing use of mobile devices and applications in the corporate world is attracting increased interest in the latter by cyber criminals. Around two thirds of the interviewed companies have already come up against attacks on the security of smartphones and tablet PCs. They reported an average of more than six security in-cidentsoverthepasttwelvemonths.Thisisasignificantfiguregiventhefactthatsecuritybreachescanleadtofinancialrepercussions,legalconsequencesandalossofimageonthepartoftherelevantorganization.

Thepotentialthreatisveryrealandthepossibleattackscenariosmanifold.ITofficersinterviewedregardthegreatestsecurityrisktobemobilemalware,whichhasbecomeincreasinglywidespreadinrecentyears,alsointheheterogeneousmobileoperatingsystemlandscape.Inaddition,morethanathirdratephishingattacksamongthetopthreerisks.PhishingisparticularlytreacherousonmobileenddevicesbecauseURLSareonlypartially displayed on the small display and emails are read so quickly that companies have no time to adjust theirsecurityfilters.

FIGURE 1

n = 168 Source IDC, 2015IT officers, selection of top three criteria, figure abridged

Thetopsecurityrisksinhandlingmobiledevices, apps and content (laptops excepted)

23%

28%

29%

30%

35%

42%

Unauthorized access overpublic hotspots

Insecure mobile apps

Insecure mobile operating systems

Incorrect conduct by users,intentional or unintentional

Phishing and social engineering

Malware

3

ITofficersratedusersthemselvesasthethirdmajorsecurityrisk.Thelatter's careless attitude in many cases to the technology placed at their disposal often puts severe strains on mobile security. According to IT decision-makers 43 percent of security incidents are caused by employees.Forinstance,30percentofthedepartmentaldecision-makersinterviewed had lost one smartphone with company information over thepasttwoyears,andin10percentofthecases,morethanone.InIDC's view companies are therefore duty-bound to raise their employees' awareness of the consequences of the careless use of smartphones etc.

A holistic mobile security concept is essentialThe current embattled situation emphasizes how essential it is for organizations to push ahead with mobile IT security. There are many spheres involved in securing mobile technologies. They range from mobile hardwareincludingoperatingsystems,mobileapplications,filesanddocuments and information transfer to messaging and VoIP telephony. Companies must aim to protect all mobile IT areas and thus ensure seamless security with no loopholes.

FACTS

According to IT decision-

makers 43 percent of

security incidents are

caused by employees.

4

The following sections describe current trends and best practices for ensuring mobile security in the various spheres.

Container solutions are not only attractive for BYOD scenarios as an extra security layerAcompany'smobileapplicationsandfilescanbemanagedinasecureenvironmentovercontainersolutions.Inaddition,usingacontainerallowsyoutokeepprivateandbusinessinformationseparateonamobileenddevice.Forinstance,ITorganizationscandeletecompanydatainamanagedcontainerwithoutaffectingpersonalfiles.DataintheIT-managedcontainercanbeencryptedwhenatrestorintransitandonlyopenedfollowing authentication over appropriate access information.

54 percent of the interviewed companies currently use containers on smartphones and tablet PCs. However only a third of them named keeping private and business content as a key objective of their solution; 36 percent listed enhanced protection for company data on mobile devices. While containers are frequently only associatedwithBYODscenarios,theadditionalsecuringofsmartdeviceshasnothingtodowithwhethertheyarealsousedprivately,themostcommonkeyaimofimplementation.CompaniesshouldthereforelookatcontainersnotonlyintermsofaBYODusecase,butalsoasapotentialextrasecuritylayeroncompanydevices.

FIGURE 2

Mobile security spheres

Apps

Mobile Security

Voice & Messaging

GatewaysTransmission

Devices Content

Source IDC, 2015

5

Various concepts can improve mobile app securityMobile app security is a growing problem for many companies. Especially when employees download non-approvedappsfrompublicAppStores.Accordingto28percentoftheinterviewedITofficersinsecuremobileapps rank as one of the three top security risks in the use of mobile technology. The previously mentioned containersolutionsaffordprotectionatdevicelevel,andothersecuritysolutionsdesignedspeciallyformobileapps are available.

The selection of the right app security technology greatly depends on the nature of company information to beprotectedandthecompany'ssecurityrequirements.Forinstance,thesourcecodeneednotbechangedforappwrapping,sothisapproachappealstocompaniesthatwanttoimplementasecuritysolutionquicklyforappsthathavealreadybeendeveloped.Bycontrast,softwaredevelopmentkits(SDKs)offerextensivefunctions so that security features can be more customized to the needs of an organization.

Companies' future plans show that no one technology will predominate in the upcoming two years and organizationswilladoptdifferentapproachestosecuringtheirmobileapplications.However,inIDC'sview,theindustryismovingtowardsopenstandardsoracommonframework,whichwilllendaddedimpetustothespreadofSDKs.

FIGURE 3

Technologies for securing mobile apps

0 20 40 60 80 100

App wrapping

Software development kits (SDKs)

Enterprise app stores

Per app VPN

App scanning andmonitoring for malware

15

16

21

30

33

25

31

33

24

25

17

21

19

19

18

33

25

21

21

18

10

7

5

7

5

(%)

DeployedDeployment planned within 12 monthsDeployment planned within 12-24 monthsNeither deployed nor plannedDon't know

n= 168 (IT officers only)

Source IDC, 2015

6

aliquet.

aliquet.

Therightapproachtoconsumerfilesharingtools:Stoporsecure,whichdoyoudo?Filesharingsolutionsallowuserstoaccessfilesanddocumentsfromalldevices.However,ifemployeesusetheirprivateaccountsfore.g.Dropbox,GoogleDriveorOneDrivetosharebusinessdocuments,ITsoonlosescontrol over company data. Eight out of ten business executives have at somepointusedtheirprivatefilesharingaccountforbusinesspurposes.Today52percentofusersstilloccasionallyuseaconsumerfilesharingtool to share business documents. This is a clear indication that behind the back of IT many users use tools with which they are familiar and most comfortable.

Mindyou,44percentofcompaniesallowtheuseofprivatetools,asITemploys additional measures to ensure document security. This strategy givescompaniestheadvantageoflettingemployeesworkwithtools,with which they can already put to productive use. Results also reflect theresignationonthepartofITalongthelinesof:ifyoucan'tbeatthem,at least secure them. File security and compliance can be improved by content connectors. Appropriate solutions integrate private memories into the enterprise content management system over the respective interfaces. Anotheroptionisdocumentencryption,whichattachessecurityfunctionsdirectly to the object to be protected and go everywhere with it.

Wearables and biometric criteria have taken multi-factor authentication to the next levelNowadays smart devices are used increasingly to complete both business and private transactions and grant rights. Multi-factor authentication (MFA) offers multi-layer protection for these transactions by combining two or more independent authorization proofs. 44 percent of the interviewed companies currently use two-factor authentication (2FA) for mobiledevices.Thankstothedynamicsofinnovation,biometriccriteriaand wearables are emerging as new 'factors' that promise enhanced security.

40 percent of the companies now using 2FA are planning authentication overwearablesfornextyear,soemployeeswillhavetoconfirmtransactions initiated on a smartphone over their smart watch. Companies havemademoreprogresswithbiometricidentityverification.Itisalreadydeployedin40percentofthecompanies.Fingerprintsensors,whichareintegratedintomanynewsmartphonesandtabletPCgenerations,are

FACTS

Today 52 percent of users

still occasionally use a

consumerfilesharingtoolto

share business documents.

52%

7

most common. Recording biometric criteria is very user-friendly as the users themselves form the criteria and so,incontrasttoapassword,theycannotforgetthesecuritycriteria.

Growing focus on language encryption and secure messengers to secure mobile communicationLanguageencryptionisaprovenmethodofsecuringconfidentialsmartphonecalls.Encryptedcallsareinitiatedoveramobileapp,whichexchangeskeyswiththeapplicationontheotherdevice.Athirdoftheinterviewed companies mentioned that they already encrypting some of their mobile calls. Messenger communicationhasalsoincreasedsignificantlyinthebusinesssector.TheinterviewedITdecision-makerswereconfidentaboutthesecurityofmobilechattingintheircompanies-tooconfidentinIDC'sview.ManyITofficersstillappeartounderestimatetheextenttowhichprivatemessengertoolslikeWhatsApporFacebookMessenger are used and their risk to data security and protection.

Organizationalbestpractices: UsertrainingisthemosteffectiveapproachProtectingmobiledevices,appsanddocumentsnotonlycallsforprecautionsonthetechnologylevel,butalsoonanorganizationallevel.ITdecision-makersconsideremployeetrainingasmostsuitableinthiscase,followed by implementation of a mobile security policy and IT personnel training. In IDC's view companies shouldnotregardmobilesecurityguidelinesinisolation,butintegratethemintothecompany'soverallITsecurityconcept.Toensurethatthesetguidelinesarerespected,employeesshouldbeadvisedonthepotentialconsequencesoftheirnon-observance.This,inturn,isanintegralpartoftheinstructionsandtraining.

8

FIGURE 4

The most effective organizational steps to improve mobile security

N = 243, multiple selections Source IDC, 2015

3%

27%

35%

27%

35%

36%

35%

51%

2%

16%

19%

21%

32%

38%

41%

46%

Don't know

Take more account of employees' wishes

High usability of the security solution

Appointing mobile security officers

Mobile security was incorporated intothe formal information security management

Training IT staff

Guidelines for secure use ofmobile end devices (mobile security policy)

Training of users

IT Business

The departmental decision-makers also regard training as the most effective method of improving mobile security,sotakeaself-criticalapproach.95percentofdepartmentaldecision-makers,whocompletedtrainingoverthepasttwelvemonths,reportanimprovementinhandlingmobiletechnologies.InIDC'sviewcompaniesmustplacesignificantlymorepriorityonraisingtheiremployees'awarenessinthefuture,sincemisusebyemployees is still the biggest stumbling block in mobile security for many companies.

9

IDC RecommendationsSecuringmobilecorporateITisakeytaskforcompaniesin2015andbeyond.Itisnotalwayseasytofindthe right mobile security concept underpinned by appropriate solutions. Based on survey results IDC has the followingrecommendationsforusercompanies:

Donotregardmobilesecurityinisolation,butasanimportantpartofyourITsecurityconcept

CompanieshavespentmanyyearssecuringtheirITinfrastructure,desktopPCsandlaptops.Sodonotconsidertheimplementationofsecurityonmobiledevicesinisolation,butratherasakeyelementofyourcompany's overall IT security concept. Make sure therefore that your mobile security solutions are compatible withyourexistingtools,e.g.forendpointsecurity,identitymanagement,networkordatasecurity.Toachieveeffective protection the various elements must work together and not be mutually detrimental.

Strike the right balance between productivity and security

Whilethebenefitsofsmartphonesetc.,suchasincreasedemployeeproductivity,areplain,companiesstillhavedifficultiesfindingtherightapproachtosecuringtheirmobileIT.Itisimportanttostrikeabalancebetween user friendliness and security. This balance will vary according to the company's business model andsectorofactivity.Theuseofbiometriccriterialikefingerprintscanningisagoodexampleofachievingabalance between user friendliness and security.

CONCLUSIONSMany companies still regard ensuring holistic security for smartphones, tablet PCs etc. as a challenge. This is largely due to the high complexity of mobile IT, with several mobile operating systems, blending of private and business technology, a steadily growing number of smart devices and significant innovation dynamics. Many IT organizations therefore resort to external know-how to improve mobile security.

IT decision-makers are also faced with a dilemma: on the one hand they must improve the security of corporate data on mobile devices, while on the other user productivity should not be restricted when using smart devices. Despite all the necessary security measures IDC still assumes that only a few IT organizations lose sight of employee productivity. Easy intuitive handling of mobile securi-ty solutions on the relevant device is the key to high acceptance by users.

We do not anticipate a decline in potential risks over mobile end devices and applications over the upcoming months. Although mobility has neither changed IT security principles or malicious actions by cyber criminals, new targets and methods of attack do arise from the use of mobile de-vices, apps and content. Companies must gain an appreciation of these dangers and deploy tools and processes to afford appropriate protection. Only then can both productive and secure working on the move be enabled.

10

Raise users' awareness of the risks when dealing with mobile IT

Incorrect conduct by users is the greatest challenge to securing their smart devices encountered by many companies. So emphasize the risks of careless use more strongly to your employees. Drafting and implementing a mobile security policy is an important aspect in this context. Results show that detailed user instructionandtrainingarethemostpromising,howevertheymusttakeplaceregularly–e.g.whenanewdeviceisissued,inordertoachievelong-termimprovement.

Create transparency in a confusing market

Themobilesecuritymarketisabuzzwithmanyprovidersfromdifferentbackgrounds.Securityproviders,EMM vendors or mobile security pure players to name but a few. So it is easy to lose sight of suitable mobile securityprovidersandtheirsolutions.Dependingontheirbackground,providersofferdifferentstrengths.Firstofall,though,youshouldbeclearastowhatyouarelookingfor.Therearemanydifferentspheresinwhichmobile IT must be secured and these should be the point of departure for shortlisting providers.

Seek outside support if the matter is too complex for you

Agrowingnumberofmobiledevices,variousoperatingsystems,mergingofprivateandbusinesstechnologyand high innovation dynamics lead to a degree of complexity in mobile security that many companies can no longer address on their own. Do not hesitate to seek outside support to develop and implement mobile security concepts. The risk of gaps in your mobile IT security is too great.

Address the impact of wearables on your IT security

Wearables like smart watches constitute both a chance and challenge to mobile security. Smart watches can helpimprovemobilesecurityaspartofmulti-factorauthentication.Atthesametime,fromanITpointofview,theyareadditionaldevicestobemanagedandsecured–especiallywhentheyhavetheirownInternetaccess.Companies should avoid employees using their personal wearables for business purposes and once more insistonthesecurityfirstdemandedaroundfouryearsagointhecaseofsmartphones.

11

"Take care to dovetail efficient security software with carefully pitched user training."

"Use pictures and illustrations to explain things to everyone."

"That standard guidelines are used in the company and device diversity does not get out of hand."

"Increase user friendliness so that employees really do act in compliance with security

guidelines."

"Equip employees with the same hardware and software as far as possible."

"Retain an overview of the market, and do so in all directions."

"Don't consider the cost, it's worthwhile investing in optimum security."

"Keep software and apps up-to-date, deploy authentication measures and good scanning and

monitoring functions."

"Train, train and train users and warn them."

"Make sure from the beginning that private and busi-ness data and applications are kept strictly apart on

mobile devices."

"Clear guidelines as to which devices may be used." BYOD is THE problem when everyone uses their own devices and the IT department doesn't have all the versions under control."

Recommendations for users by usersDuringthesurveyITofficerswereaskedtogiveothercompaniesandorganizationstipsonwhattolookoutfortoimprovethesecurityofmobiledevices,appsandinformation.Wewouldliketosharesomeoftheunfilteredanswerswithyou.Thesearenotcommentedtopreserveauthenticity:

MethodologyTheaimofthesurveyconductedbyIDCinMay2015with243ITofficersanddepartmentaldecision-makersfromcompanieswithmorethan100employeeswastogainabetterappreciationofthethreatpotential,requirements,proposedactionandplanstosecuremobiletechnologiesinorganizations.AspecialfocuswasplacedontheassessmentsofITofficersontheonehandandcommentsbydepartmentalusersontheother.

The following case study and interview is based on information provided by Axway. IDC accepts no responsibilities for this information.

12

AXWAY

Fallstudie: CETREL, a SIX Company

Client DetailsSIX is a European payments services provider offering comprehensive solutions for cashless payment transactions. SIX Payment Services ensures payment processingforcardissuers,aswellascardacceptanceformerchants.Inamajorinitiative,theCETRELofficeofSIXPaymentServicesiscollaboratingwithSIXheadquarters to enable peer-to-peer (P2P) mobile payment (m payment) solu-tions.

SIXoperatesSwitzerland’sfinancialmarketinfrastructureandofferscomprehen-siveservicesonaglobalscaleintheareasofsecuritiestrading,clearingandset-tlement,aswellasfinancialinformationandpaymenttransactions.Thecompanyis owned by its users (approximately 140 banks of various sizes and orientations) and generated according to the company an operating income of 1.80 billion SwissfrancsandaGroupnetprofitof247.2millionSwissfrancsin2014withitsworkforceofmorethan3,800employeesandpresencein24countries.

Client RequirementsAsthecompetencecenterforcredit-cardissuing,theCETRELofficeofSIXPay-mentServicesprovidesbanks,creditinstitutionsandbankingserviceproviderswithservicesfortheentirelifecycleofacard,e.g.,productionandpersonalization,modification,blocking,processingtransactions,topping-upprepaidcards,etc.Italso works with telecoms companies to send SMS text messages to cardholders.

Historically,bankswouldsendadailyfileofcardtransactionstoprocessinbatchmode—asystemthatwasneitherflexiblenorresponsive.Tomodernize,theCETRELofficeofSIXreviewedavailabletechnology,decidedtoimplementAPIWebServices,anddevelopedasolutionin-house.

Afterafewyearsoperation,however,itbecameclearthatthecostformaintainingthe platforms security was too high. The solution needed to be updated continu-ously to counter emerging threats and integrate new digital technologies used by thefinancialservicesindustry.

WWW.AXWAY.COM

13

“The Axway platform came with a series of mod-ules that we could adapt to protect ourselves from any imaginable kind of attack. It was so much easier than developing a system our-selves. With the Axway solution, the work of five or six people is replaced by one person working part-time, allowing us to make better use of our engineers’ capabilities.”

Project Highlights

Asplanned,theprojectbeganinSeptember2014andwasrolledoutinNovember,rightontime.

According to the company’s statements Axway’s solution currently handles 3 million cardsand300,000APIWebServicecallsperday,withpeaksof40callsasecond.

Benefitsincluderapidtimetomarket,easieronboardingofnewcustomers,24x7availability, high-performance.

Client Comments on the Project

“Securing API Web Services is not our core business. Our business is payment cards. We needed to delegate re-sponsibility for that task to professionals.”

“It’s a highly optimized, highly stable solution.”

SolutionProfileTheCETRELofficeofSIXPaymentServiceslaunchedanRFPtofindanintegratedWebAPIsecuritysolution.Offivecompetitors,ashortlistofthreewasestablished,andAxwaymadethewinningbid.Inthenewarchitecture,allAPIWebServicecallsandsecurityfunctions,includingencryption,weremovedtotheAxwayAPIGateway,enablingCETRELtofocus on its core business activity.

Each transaction involves an API Web Service call that is handled by Axway API Gateway and includes up to 200 different securitychecks(e.g.,encryption,decryption,messagesigning,signatureverification,etc.).

Thesolutionenablesperson-to-personpaymentsviasmartphoneapps.Inthecurrentimplementation,usersdownloadthebank‘sP2Papp,transferfundsfromtheirbankaccounttotheapp‘sstoredvalue,andthenusethosefundstopayother people.

The solution will scale up rapidly in terms of volume of transactions; variety of funding and payment options; and geo-graphical reach.

IntheP2PmobilepaymentservicesintroducedbySIX,interactionsbetweenSwissbanksandSIXsystemsarehandledvia API Web Services.

TheAxwayAPIGatewayisakeycomponentoftheP2PsolutionofSIX,whereitisresponsibleforthemovementofallfunds.

ByXavierStenuit,ApplicationEngineeratCETREL

14

IDCspoketoMarkusMayer,DirectorPresales,Axway,atthepresentationof the results of the „Mobile Security in Germany 2015“ survey.

INTERVIEWWITH MARKUS MAYER, AXWAY

IDC: The usage of mobile devices, apps and content has risen dramatically in companies in recent years. Primarily to improve employee productivity and processes. At the same time, the security of mobile technology has become a focus of attention. What in your view constitutes a good balance between productivity and security?

Markus Mayer: Effective mobile applications dependonaccesstodataandbackendservices,however these platforms are frequently not optimized for mobile access or accessible in the firstplace.Thefocusintermsofmobilityhasshifted heavily from devices to applications and enterprise app activation is increasing at a steady pace. However mobile access to sensitive data is restrictedbysecurityrequirements.Furthermore,corporate data is classed in various risk categories. A patented production process has a high security level,directionsforgettingtothecompanyalowone. An even balance is struck when the action implementedenablespracticalmobileworking,i.e.when the necessary infrastructure for hardware and appsiscreated.Ontheotherhand,bothdataandinfrastructure must be protected according to their relevantriskclassificationtopreventsecurityeffortsbeing expended unnecessarily.

IDC: What are the typical challenges faced by companies when enhancing their mobile security?

Mayer: Many companies entering the mobile world fail to devote due attention to security aspects. Business strictures call for fast product launches and fast results on the IT front. Security policies are sidelined. When mobile access is granted to data andapplications,alsooverwebservices,companiesare exposed to the risk of attack and subsequent damage if security is poorly implemented. Web interfaces (APIs) are now the main targets of unauthorized access by attackers.

IDC: What approach do you recommend to companies to make their mobile cosmos as safe as possible – without losing sight of employee productivity?

Mayer: Companies must make their security foolproof or,attheveryleast,easytoimplement.Mostimportantly,security must be upgraded to a key design aspect and not treated as an afterthought. On the other hand,appdevelopersareoftennotfamiliarwithsecuritymatters,soITmustsupplysolutionsandbest practices that both protect companies and enable innovation. The best way to ensure mobile security is to build a sturdy API security shield composedofaccesscontrol,dataguidelinesand threat protection. IT must therefore regard programming interface (API) management as a core component of the corporate architecture for all integration requirements and offer a targeted abstraction and security layer to support mobile applications. The latter provides a standard method ofsecuringaccesstoalldataandapplications,transparency and clear governance of all data circulatingbetweenpartners,mobileandcloudapplications.

MARKUS MAYER

Copyright NoticeExternal publication of IDC information and data – including all IDC data and statements, which are used for

advertising purposes, press releases or other forms of publication – are subject to the written approval of the

responsible IDC Vice President, Country Manager or CEO. A draft of the copy for publication must be enclosed with

the application for consent. IDC reserves the right to refuse external publication of data.

For further details of this publication please contact:

Katja Schmalen, Marketing Director, +49 69 90502-115 or kschmalen@idc.com.

Copyright IDC, 2015. The reproduction of this document is strictly prohibited without prior written consent.

IDC Central Europe GmbH Hanauer Landstr. 182 D 60314 Frankfurt • Germany

T: +49 69 90502-0 F: +49 69 90502-100 E: info_ce@idc.com