Mobile
4/24/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Employees Slacking on Security of Their Mobile Devices

A survey says that 15% say they had a password compromised.

Many employees still don't take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops.

This is happening at a time when the bring-your-own device (BYOD) explosion is well under way. Some 45% of employees on average have more than six third-party apps installed on their personal mobile devices, and 15% admit to having had a personal account or password compromised. There's an attitude among a few that they aren't responsible for locking down their mobile devices: 15% say their responsibility for this is "none to minimal," while about 10% have no password, PIN, or other security on the mobile devices they use for work.

The study, conducted by Osterman Research and commissioned by integrated identity management firm Centrify, included responses from more than 500 enterprise employees of organizations in North America with more than 1,000 employees.

Tom Kemp, CEO at Centrify, says it's surprising that 15% of the respondents had a password hacked or stolen. "And this means that the number is even greater, given that many users may not know their password has been stolen or don’t want to admit it. So we may be talking about 25% or more of passwords hacked," Kemp says in an email interview.

He also didn't expect to find that 10% don’t use a PIN or passcode for their mobile device. "The odds are too great your phone will get lost or stolen, so it is somewhat equivalent to putting your ATM passcode on a piece of tape and taping it to your ATM card and leaving your ATM card on tables in restaurants, etc.," Kemp says.

The survey also shows the challenges for enterprises to enforce corporate security policy on personally owned devices. "Better education is needed, but also corporations should look to use 'container' or 'workspace' technologies on mobile devices that provide a dual persona on the device," for example, Kemp says. Mobile vendors such as Apple and Samsung already are adding this type of workspace separation to their products, he says.

In a light-hearted -- yet revealing -- question about mobile-device loss, 32% say they would rather catch the flu or vacation with their mothers-in-law than inform their bosses that they had lost an unsecured mobile device.

"The [survey] results show that even employees of large multinational corporations, who are consistently warned of the dangers to their data directly from their IT department, are not keeping security top of mind," says Michael Osterman, principal of Osterman Research. "It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to."

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:49:41 AM
Re: More than just device security
Speaking from an employee/user perspective, I think you needa combination of awareness and easy to use tools. I am well aware of the dangers stemming from mobility but if the tools my company gives me to securely manage my mobile devices are too cumbersome, the daily demands of my job will take precidence...
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:41:45 PM
Re: More than just device security
Unfortunately, no amount of education will make people voluntarily care about security.  In order to secure personal devices you have one of two options, either force the security using a program such as MaaS 360, Good Mobile, etc. or make the person share in the liability.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/25/2014 | 2:32:51 PM
user apathy or lousy MDM?
With 45% of employees accessing sensitive corporate data on their personal devices via unsecured wifi, either they have no clue, don't care, or their corporate policy and management of mobile is weak. That's a lot of airport WiFi exposure...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/25/2014 | 2:08:18 PM
BYOD
BYOD - every security manager's nightmare. If any work related thing would keep me up at night, that is it. Both a curse and a boon to organizations, its wide ranging impacts are a formidable challenge.
kobrien82
50%
50%
kobrien82,
User Rank: Apprentice
4/25/2014 | 12:57:53 PM
More than just device security
One of the most telling points from this is about the proliferation of apps on devices that serve dual-duty as personal and professional account access points. We often see that employees bring a device with them into work; in organizations using public cloud services, the apps they then install on that device are frequently given tremendous amounts of access to highly sensitive organizational data via the user's work accounts. 

BYOD and what it represents (access, employee autonomy, mobility, etc.) are indicative of new threats and risks in the security world, and there's often a pretty significant delay between the emergence of risk and a decent response. Andrew Rose from Forrester wrote about this just yesterday - more than 60% of most employees they surveyed have no sense of personal responsibility for the enforcement of security policy at all, let alone on devices that they perceive of as their own. 

What's needed is a better mechanism for visiblity into these risk points, and an undertanding of how to distinguish productive and risky behavior within them. Until that happens, there's no chance of bringing the security/user gap.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youre still focused on securing endpoints, youve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.