Bring-your-own-device (BYOD) is proving to be a worrisome security challenge for information security professionals with nearly half the respondents in a recent survey by the Information Security Community on LinkedIn admitting that their organizations are exposed to malware and embedded security exploits brought in by employees or others using downloaded apps or content on personal devices.
Only 21 percent of the 1,100 IT security practitioners responding in the second annual “BYOD & Mobile Security Study” conducted by online community of more than 200,000 InfoSec professionals said their companies have fully implemented policies, processes and infrastructure to address BYOD and 21 percent claimed that while personal devices are used in their organizations, they are not supported.
Despite the significant damage, including loss of company or client data and unauthorized access to data and systems that the use of privately owned devices without proper security can wreak, most organizations simply have not kept pace with the explosion in use of those personal devices in the workplace.
The findings are consistent with the results of the group's first BYOD report, published last year, Holger Schulze, founder of the Information Security Community on LinkedIn, told SCMagazine.com.
“It's one of the largest surveys” on BYOD and the large sample of professionals who have to deal “day in and day out with the operational impact” ensures that it “is a reflection of what's going on in the market,” he said.
Personal devices have taken the workplace by storm because they allow businesses to be more nimble and workers more productive and efficient. And Schulze explained that encouraging BYOD is a good recruiting tool for employers.
“As an employer, it's a lure,” he said, noting that the days of using a computer in a workspace are long gone. Personal devices allow workers to “do what they need to” wherever they need to, said Schulze.
That's borne out by the research. The most popular use for the devices, at 86 percent, is accessing email, calendar and contacts, according to the study. Respondents said document access and editing apps are used 45 percent of the time, followed by Sharepoint and Intranet access at 41 percent. They also accessed apps for file sharing and company-built apps 34 percent of the time.
But security concerns are preventing companies — and employees — from getting the full benefits of personal devices.
Of the professionals surveyed, 74 said they were most concerned with protecting business data while 69 percent felt the need to safeguard customer and employee information. Protecting documents was the concern of 66 percent of the respondents.
Malware has grabbed the spotlight as well, with 60 percent saying malware protection is a must-have in any mobile security scheme.
That's not to say that organizations don't take steps to protect the devices. The survey found that the most popular tool used is mobile device management (MDM), which 43 percent of respondents say is used in their organizations. Endpoint security tools are used by 39 percent and 38 percent employ Network Access Controls.
According to the study, password protection was the most common risk control measure, used by 67 percent of the respondents participating in the survey. Remote wiping of data is used by 52 percent and 43 percent use encryption.
But all of those measures fall short or present problems of their own — MDM, for example, doesn't detect malware and remote wiping works consistently on iOS but not on Android.
Most of the investment in safeguarding against the security problems associated with BYOD has been done at the perimeter, not in what Mike Banic, Vectra Networks vice president of marketing at study sponsor Vectra Networks, called the “gooey center of the network.”
Banic told SCMagazine.com that organizations “need to evolve their security strategy” away from simply relying on perimeter security.
He advocated for network analysis in real time or near-real time, noting that from a network perspective companies need to “listen to network traffic, determine what's normal and white list behavior” that is normal and non-threatening. Then, they need to determine and address anomalies.