IT Responds to BYOD With ‘Fear and Loathing’

Few policies and fewer tools protect data in devices owned by employees.

Security and management tools lag so far behind the reality of Bring Your Own Device (BYOD) programs that BYOD “triggers fear and loathing” among the datacenter and IT staffers who have to deal with it, according to the latest in a series of recent surveys slamming BYOD security.

Twenty-three percent of organizations with BYOD programs have no user training programs or technology tools in place to either manage or secure employee-owned devices, according to a survey released Dec. 2 of 576 IT professionals sponsored by the SANS Internet Storm Center that is part of security- and IT-training focused SANS Institute.

“Organizations are feeling the pressure of BYOD adoption, with or without policy and security tools to manage the deployments,” according to study author Joshua Wright, a SANS Institute trainer and technical analyst with security firm Counter Hack.

An “overwhelming” percentage of respondents said they have little or no confidence in their own companies’ existing BYOD policies, but don’t have the technical or political resources to both give BYOD devices access to corporate IT resources and keep uncontrolled devices from violating overall security requirements, according to the study, full results of which will be released during a SANS webcast at 1 p.m. EST on Dec. 10.

A version of the same mobility/BYOD security survey released in Oct. 2012 (PDF) showed that 61 percent of organizations allowed BYOD devices to access secured network resources, but that 50 percent either had no BYOD-specific security rules or depended on users to make their devices comply with corporate security policies.

Only 9 percent of those responding in 2012 said their companies were “fully aware” of what devices were being used inside the firewall or what networked resources they were using.

The primary “control” of BYOD users and devices at 48 percent of organizations is user education-and-awareness programs designed to persuade users to behave appropriately even in the absence of formal corporate policies describing what that might mean.

Ninety-five percent of respondents to the 2012 survey said security policies are critical elements of corporate risk management, but only 38 percent said their companies either created or enforced the necessary policies.

Most companies use existing authentication and access controls, firewalls and virtual private networks (VPNs), rather than BYOD- or mobile-specific mobile-device management (MDM) security products. The main reason appeared to be that top-level corporate managers are reluctant to add direct security or controls on devices not owned by the company, according to the October, 2012 Mobility/BYOD Security Policies and Practices survey.

“Tried and true security mechanisms, such as VPN, represent the primary tools used by organizations to protect mobile data, regardless of the limitations and inflexible nature of those solutions,” Wright said in the SANS statement.

Only 22 percent of companies polled in 2012 said they use device management, compared to 14 percent that require employees to monitor and secure BYOD devices, 36 percent that require employees to sign usage agreements and only 23 percent that refused to allow personal devices to be used to access company resources.

Younger employees who are more likely to use mobile devices, smart watches, cloud services and other new consumer-oriented IT resources are becoming far more resistant to any control over their use of IT by the companies that employ them, however, according to a survey of “Gen-Y” workers released Oct. 21 by network security vendor Fortinet Security.

Fifty-one percent of 3,200 corporate workers between the ages of 21 and 32 years old said they would purposely violate security policies banning the use of personal devices or personal cloud services at work. Seven out of eight said the onus of securing personal devices falls on employees, though 14 percent said they wouldn’t notify employers if their own devices were compromised and 52 percent appeared not to understand most of the types of security risk involved.

Simply allowing employees to use personal devices for work is slipping down the list of IT priorities, however, as pressure increases to provide mobile apps customers can use on the run, according to a survey sponsored by CA Technologies and conducted by U.K. analyst firm Vanson Bourne.

The survey, published Nov. 21, 2013, found that only 37 percent of respondents said that keeping employees happy – the traditional reason behind most BYOD programs – is their company’s No. 1 priority in mobile IT.

The majority – 63 percent – said the focus had shifted to mobile apps and the need to respond to demands from users for mobile access, purchasing and support information via mobile app.

Forty-two percent said customer-focused mobile apps are IT’s No. 2 mobile-computing priority.

The need for better management and security will drive corporate spending on mobility up by 50 percent during the next three years, the survey showed, though the percentage of that total spent by business units rather than IT will rise from 9 percent to 15 percent during the same time, the survey predicted.

Most respondents to the CA survey couldn’t point to specific measures of the impact of BYOD or mobility. Of those whose companies did report specific measurements of the impact of mobility, the most clear was an improvement of between 17 percent and 24 percent in time-to-market. Among the other benefits cited were increases in revenue, customer satisfaction, employee productivity and BYOD program cost.


Image: rvlsoft