The bring-your-own-device (BYOD) movement may be popular with employees, but it may also be putting corporate data at risk due to a lack of adequate security controls, employer policies and employee education, according to a survey conducted by Coalfire, an IT governance, risk and compliance services company.
Calling BYOD -- where employees bring their smart phones, tablets and laptops to work and connect to corporate networks -- a “megatrend,” Coalfire said that the movement toward employee-owned devices is introducing a number of new security risks and that companies need to do much more to protect their infrastructure.
“Gone are the days where security professionals can lock down a finite set of machines and facilities. Instead, they must manage an ever-growing, ever-changing landscape of employees, devices and applications, many of which have access to information that needs to be protected,” said Mike Weber and Christopher Lietz, authors of the report.
Mobile device security begins with a password
The study, based on a poll of approximately 400 non-IT department individuals in a variety of industries, found 47% of respondents have no passcode on their mobile phone, even though 84% of individuals stated that they use the same smart phone for personal and work usage.
Sixty-eight percent of respondents reported that they used a laptop, with 31% of those laptops having been issued to them by their company. Tablets were a distant third in the survey, used by only 20% of responders and are almost all owned by the employee.
Mobile device security appears to be best understood when a laptop is being used, the survey found: 80% of laptop users employ passwords. Only 58% of tablet users employ this important layer of protection.
When they learned that a strong password meant using at least 8 characters, including letters, numbers and symbols, just half of smart phone user respondents claimed to have strong passwords. Tablet and laptop users were more confident, with 62% and 76% claiming to have strong passwords.
Risky mobile device behaviors
Another set of questions in the survey focused on user behavior, specifically the susceptibility in using insecure networks, email phishing, malware downloads, shared passwords and plain bad practices.
Six in 10 respondents said they still write passwords down on a piece of paper while 36% of workers said they reuse the same password for different accounts. Thirty-two percent admitted to having joined unsecured, public Wi-Fi networks. Nearly four in 10 confessed to having clicked on links from emails purporting to be from financial institutions, a common phishing trap, while half of respondents said they clicked on links through social media.
“This is especially worrisome when coupled with users’ access privileges,” the authors wrote.
Thirty percent of smartphone users acknowledged that they have access to sensitive information, and another 16% weren’t sure if they have such access. Tablet users gave similar responses (34% and 13%, respectively).
Company policies also to blame for weak BYOD security
Employees are not solely to blame for potential security risks associated with BYOD.
Sixty-one percent of respondents said they had no knowledge of a company social media policy, and 62% said the same about policies for mobile device usage. “In conducting an IT security review, our auditors often find that our clients have policies, but employees don’t know about them,” Coalfire said.
Only 25% of the survey takers reported a discussion from IT about mobile security, and a whopping 79% of respondents didn’t know that IT could deactivate and erase the data on lost devices.
Recommendations to help secure data on mobile devices
Coalfire offered the following recommendations:
• Create a mobile device policy and communicate it early and often. Make sure your employees read and sign off on the policy. Then conduct training and test proficiency.
• Use all methods available to control access to company data on mobile devices. Some of the most effective mobile device management and network access control solutions include capabilities that already exist as features of your enterprise communication platform, the authors wrote.
• Be aware of what employees can access with their devices and zealously enforce strong passwords and password rotation.
• Regularly test your defenses to make sure that infected machines and careless users don’t place your organization in jeopardy.
“Mobile devices have arrived in the workplace, and it’s a win-win situation when employees provision their own devices, helping to lower costs and increase productivity. But you must know the risks and manage them,” the authors concluded.
Roy Maurer is a staff writer for SHRM.
Have HR-related questions and concerns? Get access to essential forms, policies and guides, plus a live call center, at ToolkitHR.com, powered by HCN and the Society for Human Resource Management (SHRM).