Employee use of personally-owned computing devices for work-related purposes–known as Bring Your Own Device or BYOD–is not a new trend and security professionals have been concerned about it for some time, but there is a widely held view that the trend has been transformed of late. Why? Waves of mobile digital devices flooding into the workplace, threatening to overwhelm current information security policies, procedures, and controls.
A lot of organizations are still assessing the productivity benefits of iPads, iPods, iPhones, Android tablets, smartphones, and so on. At the same time IT managers are trying to weigh those benefits against the risks that come with these devices. But what is the real size and scope of the problem? Are current impressions of an onslaught of insecure mobile devices accurate? These are important questions with serious implications for information security. So ESET teamed up with Harris interactive to conduct a survey and provide some answers. Depending on your current perceptions the results may be very surprising.
First, there is the overall scale of the BYOD phenomenon:
In others words, BYOD is not coming, it is here, in a big way. And that is not necessarily a bad thing. It means your staff can stay in touch with up-to-the-minute, real-time data, regardless of where they happen to be, creating a compelling advantage for your organization. The use of these personally-owned devices spans a wide range, everything from airplane navigation and scheduling to marketing lead-capture; the devices are everywhere, and they’re here to stay. But what about when users are allowed, or even encouraged, to connect them to the corporate network, the company’s information infrastructure, can that really be secure?
IT teams and executives alike shudder at the thought of a user’s personal device accidentally (or unwittingly, or on purpose) running a rogue app and creating an entry point for scammers into the core intellectual property of the organization, thereby exposing the “crown jewels” to the bad guys. Scenarios like this keep the IT crowd awake at night. But how common is the practice of accessing and/or storing company information on personally-owned devices?
The answer depends on the type of device:
Those numbers suggest that there is a fairly logical adoption curve, with more mature technology being used for company purposes more often. As we will see in a moment, there is a security curve as well, and it is not reassuring.
If you stand at the back of a commercial flight these days you can see rows of passengers staring at a wide variety of devices, sometimes running cute little apps and games, and sometimes running business critical processes. Aside from the danger of spreading critical information to snoopy shoulder-surfers, this perspective makes it easy to see the variety of roles that the devices play. And I’m sure you’ve seen this scenario: halfway through the flight a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal. Obviously that’s a potential problem: bored users looking for cool things to install on their hip new piece of hardware. Maybe there’s a compelling reason to get that app, but is there a security context in place whereby this activity is vetted, especially when they are connecting that device to the company network? Beyond that, are basic measures in place to protect the data on the device if it falls into the wrong hands?
You might expect newer mobile users to be slightly more naïve about device security, but slick new mobile devices are often used by more senior staff, so you’d hope they would act more securely by default, but do they really? Here are some of the worrying statistics our survey revealed:
Clearly there is a lot of bad news here for BYOD security and you can sum it up like this: Right now less than half of all devices in the BYOD category are protected by the most basic of security measures.
If you are determined to take an optimistic view you could argue that a huge increase from current levels of BYOD security is possible, both cheaply and quickly, by doing the following:
These things are relatively easy to do on the most widely used BYOD devices where these features are often built in, so the cost is low: basically the price of a little security awareness and education. The cost of not taking these steps could be suffering the scariest kind of security breach, the kind that was easily preventable by basic BYOD security best practices.
Note: This survey was conducted online within the United States by Harris Interactive between February 8-10, 2012 among 2,211 adults (aged 18 and over) and 1,320 employed U.S. adults.