The bring-your-own-device (BYOD) movement may be popular with employees, but it may also be putting corporate data at risk due to a lack of adequate security controls, employer policies and employee education, according to a survey conducted by Coalfire, an IT governance, risk and compliance services company.
Calling BYOD -- where employees bring their smart phones, tablets and laptops to work and connect to corporate networks -- a “megatrend,” Coalfire said that the movement toward employee-owned devices is introducing a number of new security risks and that companies need to do much more to protect their infrastructure.
“Gone are the days where security professionals can lock down a finite set of machines and facilities. Instead, they must manage an ever-growing, ever-changing landscape of employees, devices and applications, many of which have access to information that needs to be protected,” said Mike Weber and Christopher Lietz, authors of the report.
Mobile device security begins with a password
The study, based on a poll of approximately 400 non-IT department individuals in a variety of industries, found 47% of respondents have no passcode on their mobile phone, even though 84% of individuals stated that they use the same smart phone for personal and work usage.
Sixty-eight percent of respondents reported that they used a laptop, with 31% of those laptops having been issued to them by their company. Tablets were a distant third in the survey, used by only 20% of responders and are almost all owned by the employee.
Mobile device security appears to be best understood when a laptop is being used, the survey found: 80% of laptop users employ passwords. Only 58% of tablet users employ this important layer of protection.
When they learned that a strong password meant using at least 8 characters, including letters, numbers and symbols, just half of smart phone user respondents claimed to have strong passwords. Tablet and laptop users were more confident, with 62% and 76% claiming to have strong passwords.
Risky mobile device behaviors
Another set of questions in the survey focused on user behavior, specifically the susceptibility in using insecure networks, email phishing, malware downloads, shared passwords and plain bad practices.
Six in 10 respondents said they still write passwords down on a piece of paper while 36% of workers said they reuse the same password for different accounts. Thirty-two percent admitted to having joined unsecured, public Wi-Fi networks. Nearly four in 10 confessed to having clicked on links from emails purporting to be from financial institutions, a common phishing trap, while half of respondents said they clicked on links through social media.
“This is especially worrisome when coupled with users’ access privileges,” the authors wrote.
Thirty percent of smartphone users acknowledged that they have access to sensitive information, and another 16% weren’t sure if they have such access. Tablet users gave similar responses (34% and 13%, respectively).
Company policies also to blame for weak BYOD security
Employees are not solely to blame for potential security risks associated with BYOD.
Sixty-one percent of respondents said they had no knowledge of a company social media policy, and 62% said the same about policies for mobile dev