Some two-thirds of businesses follow some sort of BYOD (“Bring Your Own Device”) policy, allowing workers to use their personal devices in a work context. That’s according to a new survey by consulting firm ITIC and KnowBe4.com.
The Web-based survey, which queried respondents from 550 companies worldwide between July and August 2012, also found something disturbing, at least from a security perspective: around 71 percent of businesses had no specific policies or procedures for keeping BYOD secure. Around 13 percent had such policies in place, while another 9 percent were in the process of developing them, with the remainder unsure of where their companies stood in terms of hardening personal devices against attack or data loss.
Considering how many workers use BYOD devices to access proprietary data via the cloud, that sort of survey data should serve as a warning call of sorts to IT administrators in charge of keeping their organizations secure. “Given the rapidity with which technology advancements occur, organizations should update and revise their computer security policies—with special attention paid to BYOD—at least once a year,” Laura DiDio, an analyst with ITIC, wrote in a research note about the survey. “At a minimum, companies constructing a strong BYOD security policy should implement the following steps.”
Those steps include assembling a list of “specific infractions and associated penalties” for violating company protocols; along with that, DiDo recommends disseminating policies and procedures to employees via email and paper. Conducting an audit for potential vulnerabilities is her next recommended step, followed by clearly defining ownership and responsibility for BYOD devices.
“Even if the employee pays or partially pays for the devices, they must be made aware that they bear responsibility for its safekeeping and security,” DiDo wrote. “Just as a chain is only as strong as its weakest link, the security and health of the network depends upon the strength and security of individual BYOD devices.” The company, she added, “should also insure the devices, or require its employees or students to partially contribute to the cost or wholly assume responsibility for insuring the devices.”
On top of that, she feels that a risk/liability assessment is necessary: “Any BYOD security policy should also incorporate an estimate of the organization’s risk financially, legally and monetarily in the event of a security breach or theft.” That assessment should apparently involve the company’s legal team or other counsel.
Other surveys have also hinted at lax security policies related to mobile devices. The recent iPass Global Mobile Workforce Report, for example, found that many companies didn’t require workers to enable the security features on their smartphones and tablets. “Some mobile workers reported not having remote wipe capabilities on their business smartphones or tablets,” the report read. “Only 74 percent said their company required security features on their mobile phones.”
That report was based on a survey of some 1,200 mobile workers around the world. Around 24 percent of those workers reported attempting to circumvent IT policies in order to access corporate data on a smartphone; 14 percent said their smartphone had no passcode; and only 55 percent had some sort of remote wipe enabled on their smartphone.
Again, those are some very scary numbers for anyone in an organization tasked with ensuring the security of proprietary data. BYOD can save an organization money and make workers flexible—but without some exacting security policies, it can also result in high costs from stolen data.