Many employees still don't take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops.
This is happening at a time when the bring-your-own device (BYOD) explosion is well under way. Some 45% of employees on average have more than six third-party apps installed on their personal mobile devices, and 15% admit to having had a personal account or password compromised. There's an attitude among a few that they aren't responsible for locking down their mobile devices: 15% say their responsibility for this is "none to minimal," while about 10% have no password, PIN, or other security on the mobile devices they use for work.
The study, conducted by Osterman Research and commissioned by integrated identity management firm Centrify, included responses from more than 500 enterprise employees of organizations in North America with more than 1,000 employees.
Tom Kemp, CEO at Centrify, says it's surprising that 15% of the respondents had a password hacked or stolen. "And this means that the number is even greater, given that many users may not know their password has been stolen or don’t want to admit it. So we may be talking about 25% or more of passwords hacked," Kemp says in an email interview.
He also didn't expect to find that 10% don’t use a PIN or passcode for their mobile device. "The odds are too great your phone will get lost or stolen, so it is somewhat equivalent to putting your ATM passcode on a piece of tape and taping it to your ATM card and leaving your ATM card on tables in restaurants, etc.," Kemp says.
The survey also shows the challenges for enterprises to enforce corporate security policy on personally owned devices. "Better education is needed, but also corporations should look to use 'container' or 'workspace' technologies on mobile devices that provide a dual persona on the device," for example, Kemp says. Mobile vendors such as Apple and Samsung already are adding this type of workspace separation to their products, he says.
In a light-hearted -- yet revealing -- question about mobile-device loss, 32% say they would rather catch the flu or vacation with their mothers-in-law than inform their bosses that they had lost an unsecured mobile device.
"The [survey] results show that even employees of large multinational corporations, who are consistently warned of the dangers to their data directly from their IT department, are not keeping security top of mind," says Michael Osterman, principal of Osterman Research. "It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to."