Missing in Action: BYOD Security
Modernizing Authentication — What It Takes to Transform Secure Access
Despite the prevalence of BYOD in the enterprise, many organizations act as if mobile device security is optional. Ditto for employee security training.
By Samuel Greengard
We all know that enterprise resources are tight and addressing the daily blitzkrieg of security problems is a daunting exercise. However, various studies and reports indicate that the issue transcends funding and resources. Many gaps, glitches and breakdowns revolve around bad policies or, in some cases, an utter lack of policies.
A new study by security vendor Webroot demonstrates this point. While 98 percent of employers have a security policy in place for mobile access to corporate data, 21 percent allow employee access with no security at all. What's more, the vast majority of employee devices lack genuine security. Only 19 percent reported installing a full security app and 64 percent of employees admitted using only the basic security features that came with their devices.
There's also a strong undercurrent of employees attempting to dictate terms to employers. Nearly half (46 percent) of employees using personal devices said they would stop using their devices for business purposes if their employer mandated installation of a specific security app. Ouch!
Clearly, the situation is a mess—and it's not likely to get better soon. Somewhere in the middle of all of this, there's a pressing need for CIOs and other IT and security executives to focus on some key issues or risk losing the enterprise jewels.
First of all, mobile device security isn't optional. It must be installed on every device and include always-on password protection, wipe features and, for many organizations, some type of endpoint security. These are the baselines. Yet, at the same time, decisions about which products to use and how to use them must be partly driven by employees. And this means bringing workers into the decision-making process.
There's also the issue of educating employees about the security risks associated with mobile devices. Incredibly, studies show that as many as 80 percent of companies lack this critical component. This includes informing employees about ways people inadvertently share or expose important data and information.
Finally, there's a dire need for clear policies and, as the Webroot report suggests, a BYOD Bill of Rights that acknowledges employee concerns and allows them to provide input. A 2013 Acronis survey with Ponemon Institute found that 60 percent of firms lack a personal device policy.
Understand this essential fact: BYOD is here to stay. If you can't do the basic blocking and tackling, you can't expect to win the game.
About the Author
Samuel Greengard is a contributing writer for CIO Insight. To read his previous CIO Insight blog post, "Location, Location, Location," click here.