"Bring your own device." It's perhaps the biggest trend in corporate computing usage in the past 18 months. But yet another study is showing that BYOD security is sorely lacking.
A new study from KnowBe4 and Information Technology Intelligence Consulting shows that 71 percent of businesses that allow BYOD have no specific policies and procedures in place to support BYOD deployment and ensure security.
Considering that nearly two-thirds of businesses surveyed have adopted the BYOD trend and allow employees to use their mobile devices as a corporate desktop to access organizational data, that's a potentially dangerous problem.
"Mobile devices are the new target-rich environment," said Kevin Mitnick, former "most wanted" hacker and KnowBe4's chief hacking officer. "Based on lessons learned in the early days of the personal computer, businesses should make it a top priority to proactively address mobile security so they avoid same mistakes [of the PC era] that resulted in untold system downtime and billions of dollars in economic loss."
The Scary (Unsecure) Numbers
According to the survey, organizations are split on who takes responsibility for the security of BYOD devices. Some 37 percent of respondents indicated the corporation was responsible; 39 percent said the end users were responsible; 21 percent said both bear equal responsibility, and the remaining 3 percent were "unsure."
Presently, 51 percent of workers use smartphones as their BYOD devices; another 44 percent use notebooks and Ultrabooks, while 31 percent of respondents indicated they use tablets -- most notably the Apple iPad -- and 23 percent use home-based desktop PCs or Macs.
A 57 percent majority of respondents said they purchased/owned the devices they used for work; compared with only 19 percent that indicated the company buys and owns them. And the top three challenges with respect to BYOD deployment were: difficulty of management and support (63 percent); provisioning new applications (59 percent) and security (48 percent).
Despite the growing body of evidence that suggests BYOD security is compromising the enterprise, ITIC principal analyst Laura DiDio told us BYOD is here to stay -- and its usage is expanding quickly because the five-day workweek is a thing of the past.
"The survey findings should act as a wake-up call to galvanize corporations into proactively managing and securing corporate data accessed by mobile BYOD devices before they suffer an expensive and potentially crippling loss or hack," DiDio said.
As she sees it, every firm and academic institution -- regardless of size or vertical market -- should conduct a risk assessment review and adopt strong security and management policies to deal with increasingly mobile BYOD deployments.
DiDio recommends businesses and academic institutions create a strong first layer of a "defense-in-depth" strategy that incorporates security policies, procedures, and security awareness training to deal with the potential risks and ramifications of BYOD deployments.
"Security awareness training should be an integral part of a BYOD deployment, just as Human Resources departments require sexual harassment training," DiDio said. "The 'defense-in-depth' strategy's security awareness training is an important element in BYOD deployments. This type of training ensures employees and students will fully comprehend the mechanisms of spam, phishing, spear-phishing, malware and social engineering, and are able to apply this knowledge to the personal devices used for and at the workplace."