05:00 PM
Connect Directly

Employees Slacking on Security of Their Mobile Devices

A survey says that 15% say they had a password compromised.

Many employees still don't take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops.

This is happening at a time when the bring-your-own device (BYOD) explosion is well under way. Some 45% of employees on average have more than six third-party apps installed on their personal mobile devices, and 15% admit to having had a personal account or password compromised. There's an attitude among a few that they aren't responsible for locking down their mobile devices: 15% say their responsibility for this is "none to minimal," while about 10% have no password, PIN, or other security on the mobile devices they use for work.

The study, conducted by Osterman Research and commissioned by integrated identity management firm Centrify, included responses from more than 500 enterprise employees of organizations in North America with more than 1,000 employees.

Tom Kemp, CEO at Centrify, says it's surprising that 15% of the respondents had a password hacked or stolen. "And this means that the number is even greater, given that many users may not know their password has been stolen or don’t want to admit it. So we may be talking about 25% or more of passwords hacked," Kemp says in an email interview.

He also didn't expect to find that 10% don’t use a PIN or passcode for their mobile device. "The odds are too great your phone will get lost or stolen, so it is somewhat equivalent to putting your ATM passcode on a piece of tape and taping it to your ATM card and leaving your ATM card on tables in restaurants, etc.," Kemp says.

The survey also shows the challenges for enterprises to enforce corporate security policy on personally owned devices. "Better education is needed, but also corporations should look to use 'container' or 'workspace' technologies on mobile devices that provide a dual persona on the device," for example, Kemp says. Mobile vendors such as Apple and Samsung already are adding this type of workspace separation to their products, he says.

In a light-hearted -- yet revealing -- question about mobile-device loss, 32% say they would rather catch the flu or vacation with their mothers-in-law than inform their bosses that they had lost an unsecured mobile device.

"The [survey] results show that even employees of large multinational corporations, who are consistently warned of the dangers to their data directly from their IT department, are not keeping security top of mind," says Michael Osterman, principal of Osterman Research. "It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to."


Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:49:41 AM
Re: More than just device security
Speaking from an employee/user perspective, I think you needa combination of awareness and easy to use tools. I am well aware of the dangers stemming from mobility but if the tools my company gives me to securely manage my mobile devices are too cumbersome, the daily demands of my job will take precidence...
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:41:45 PM
Re: More than just device security
Unfortunately, no amount of education will make people voluntarily care about security.  In order to secure personal devices you have one of two options, either force the security using a program such as MaaS 360, Good Mobile, etc. or make the person share in the liability.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/25/2014 | 2:32:51 PM
user apathy or lousy MDM?
With 45% of employees accessing sensitive corporate data on their personal devices via unsecured wifi, either they have no clue, don't care, or their corporate policy and management of mobile is weak. That's a lot of airport WiFi exposure...
User Rank: Ninja
4/25/2014 | 2:08:18 PM
BYOD - every security manager's nightmare. If any work related thing would keep me up at night, that is it. Both a curse and a boon to organizations, its wide ranging impacts are a formidable challenge.
User Rank: Apprentice
4/25/2014 | 12:57:53 PM
More than just device security
One of the most telling points from this is about the proliferation of apps on devices that serve dual-duty as personal and professional account access points. We often see that employees bring a device with them into work; in organizations using public cloud services, the apps they then install on that device are frequently given tremendous amounts of access to highly sensitive organizational data via the user's work accounts. 

BYOD and what it represents (access, employee autonomy, mobility, etc.) are indicative of new threats and risks in the security world, and there's often a pretty significant delay between the emergence of risk and a decent response. Andrew Rose from Forrester wrote about this just yesterday - more than 60% of most employees they surveyed have no sense of personal responsibility for the enforcement of security policy at all, let alone on devices that they perceive of as their own. 

What's needed is a better mechanism for visiblity into these risk points, and an undertanding of how to distinguish productive and risky behavior within them. Until that happens, there's no chance of bringing the security/user gap.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youre still focused on securing endpoints, youve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.