Mobile
4/24/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Employees Slacking on Security of Their Mobile Devices

A survey says that 15% say they had a password compromised.

Many employees still don't take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops.

This is happening at a time when the bring-your-own device (BYOD) explosion is well under way. Some 45% of employees on average have more than six third-party apps installed on their personal mobile devices, and 15% admit to having had a personal account or password compromised. There's an attitude among a few that they aren't responsible for locking down their mobile devices: 15% say their responsibility for this is "none to minimal," while about 10% have no password, PIN, or other security on the mobile devices they use for work.

The study, conducted by Osterman Research and commissioned by integrated identity management firm Centrify, included responses from more than 500 enterprise employees of organizations in North America with more than 1,000 employees.

Tom Kemp, CEO at Centrify, says it's surprising that 15% of the respondents had a password hacked or stolen. "And this means that the number is even greater, given that many users may not know their password has been stolen or don’t want to admit it. So we may be talking about 25% or more of passwords hacked," Kemp says in an email interview.

He also didn't expect to find that 10% don’t use a PIN or passcode for their mobile device. "The odds are too great your phone will get lost or stolen, so it is somewhat equivalent to putting your ATM passcode on a piece of tape and taping it to your ATM card and leaving your ATM card on tables in restaurants, etc.," Kemp says.

The survey also shows the challenges for enterprises to enforce corporate security policy on personally owned devices. "Better education is needed, but also corporations should look to use 'container' or 'workspace' technologies on mobile devices that provide a dual persona on the device," for example, Kemp says. Mobile vendors such as Apple and Samsung already are adding this type of workspace separation to their products, he says.

In a light-hearted -- yet revealing -- question about mobile-device loss, 32% say they would rather catch the flu or vacation with their mothers-in-law than inform their bosses that they had lost an unsecured mobile device.

"The [survey] results show that even employees of large multinational corporations, who are consistently warned of the dangers to their data directly from their IT department, are not keeping security top of mind," says Michael Osterman, principal of Osterman Research. "It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:49:41 AM
Re: More than just device security
Speaking from an employee/user perspective, I think you needa combination of awareness and easy to use tools. I am well aware of the dangers stemming from mobility but if the tools my company gives me to securely manage my mobile devices are too cumbersome, the daily demands of my job will take precidence...
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:41:45 PM
Re: More than just device security
Unfortunately, no amount of education will make people voluntarily care about security.  In order to secure personal devices you have one of two options, either force the security using a program such as MaaS 360, Good Mobile, etc. or make the person share in the liability.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/25/2014 | 2:32:51 PM
user apathy or lousy MDM?
With 45% of employees accessing sensitive corporate data on their personal devices via unsecured wifi, either they have no clue, don't care, or their corporate policy and management of mobile is weak. That's a lot of airport WiFi exposure...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/25/2014 | 2:08:18 PM
BYOD
BYOD - every security manager's nightmare. If any work related thing would keep me up at night, that is it. Both a curse and a boon to organizations, its wide ranging impacts are a formidable challenge.
kobrien82
50%
50%
kobrien82,
User Rank: Apprentice
4/25/2014 | 12:57:53 PM
More than just device security
One of the most telling points from this is about the proliferation of apps on devices that serve dual-duty as personal and professional account access points. We often see that employees bring a device with them into work; in organizations using public cloud services, the apps they then install on that device are frequently given tremendous amounts of access to highly sensitive organizational data via the user's work accounts. 

BYOD and what it represents (access, employee autonomy, mobility, etc.) are indicative of new threats and risks in the security world, and there's often a pretty significant delay between the emergence of risk and a decent response. Andrew Rose from Forrester wrote about this just yesterday - more than 60% of most employees they surveyed have no sense of personal responsibility for the enforcement of security policy at all, let alone on devices that they perceive of as their own. 

What's needed is a better mechanism for visiblity into these risk points, and an undertanding of how to distinguish productive and risky behavior within them. Until that happens, there's no chance of bringing the security/user gap.
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.