Nearly two-thirds of businesses – 62% — now allow their end users to “bring their own devices (BYOD)” and use them as their corporate desktops or mobile devices to access organizational data including Email, applications and sensitive data. However, 71% of businesses that allow BYOD, have no specific policies and procedures in place to support BYOD deployment and ensure security.
That’s according to the latest independent joint survey conducted by ITIC and KnowBe4.com, a Clearwater, Florida company that specializes in security awareness training. The ITIC/KnowBe4.com survey, polled 550 companies worldwide in July and August. The survey survey found that only 13% of respondents said their firms have specific policies in place to deal with BYOD deployments, while another nine percent indicated they were in the process of developing BYOD procedures.
“These survey findings should act as a wake-up call to galvanize corporations into proactively managing and securing corporate data accessed by mobile BYOD devices before they suffer an expensive and potentially crippling loss or hack,” said ITIC principal analyst Laura DiDio. She continued, “Every firm regardless of size should conduct a risk assessment review and adopt strong security and management policies to deal with increasingly mobile BYOD deployments.”
BYOD deployments have been among the biggest trends in corporate computing usage in the last 12 to 18 months, spurred on by the burgeoning use of mobile and portable devices like smart phones and tablets which have become ubiquitous and near-indispensible workplace tools. BYOD usage does help businesses to contain costs and lower the administrative burden of IT departments as end users manage, maintain and in many cases pay for their own devices.
However, the downside of the BYOD and mobility trends is that they leave companies – from SMBs to enterprises — extremely vulnerable to security breaches. Unless the corporation has strong, effective usage and security policies in place to govern BYOD usage, the company and its sensitive corporate data could be put in a precarious position in the event that a mobile device is lost, stolen or hacked.
Kevin Mitnick (former ‘most-wanted’ hacker), KnowBe4’s Chief Hacking Officer agreed, noting, “Mobile devices are the new target-rich environment. Based on lessons learned in the early days of the personal computer, businesses should make it a top priority to proactively address mobile security so they avoid same mistakes [of the PC era] that resulted in untold system downtime and billions of dollars in economic loss.”
Among the other ITIC/KnowBe4.com survey highlights:
- Organizations are split on who takes responsibility for the security of BYOD devices. Some 37% of respondents indicated the corporation was responsible; 39% said the end users were responsible; 21% said both bear equal responsibility and the remaining three percent were “Unsure.”
- Presently, 51% of workers utilize smart phones as their BYOD devices; another 44% use notebooks and ultra books, while 31% of respondents indicated they use tablets (most notably the Apple iPad) and 23% use home-based desktop PCs or Macs.
- A 57% majority of respondents said the end users purchased/owned their BYOD devices; compared with only 19% that indicated the corporation buys and owns them. Another 22% of survey participants said the company and the employees split the cost. The remaining two percent said they decide on a case-by-case basis.
- The top three challenges with respect to BYOD deployment were: difficulty of management and support (63%); provisioning new applications (59%) and security (48%).
The transition to a BYOD model is rapid and widespread. Legal services leader Foley & Lardner, was an early adopter of BYOD in October of 2009. According to a recent article, the firm implemented this program to cut costs and enable their employees to work anywhere, anytime. The security issue on personal devices is said to be protected from “within the secure confines of our data center” (1).
Organizations that allow BYOD, but fail to implement strong safeguards will find themselves extremely vulnerable. Unless the corporation has strong, effective policies, procedures and security awareness training in place to govern BYOD usage, the company and its sensitive corporate data could be put in a precarious position in the event that a mobile device is lost, stolen or more likely, hacked, a real possibility in recent times. (2)
For necessary and vital security measures, every firm regardless of size should conduct a risk assessment review, adopt the ‘defense-in-depth’ strategy and create a strong first layer: security policy, procedure and security awareness training to deal with BYOD deployments.
(1) ZDnet.com , August 23, 2012. “Legal services leader and SMB Foley & Lardner makes strong case for BYOD” www.zdnet.com/legal-services-leader-and-smb-foley-and-lardner-makes-strong-case-for-byod-7000003094/
(2) “HP Research Reveals 56 Percent Rise in Cost of Cybercrime”; published on HP.com, August 2, 2011. www.hp.com/hpinfo/newsroom/press/2011/110802xa.html