Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/24/2014
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Employees Slacking on Security of Their Mobile Devices

A survey says that 15% say they had a password compromised.

Many employees still don't take BYOD security seriously, a new survey shows: Nearly 45% have accessed sensitive corporate data on their personal devices via unsecured networks, such as those at airports or coffee shops.

This is happening at a time when the bring-your-own device (BYOD) explosion is well under way. Some 45% of employees on average have more than six third-party apps installed on their personal mobile devices, and 15% admit to having had a personal account or password compromised. There's an attitude among a few that they aren't responsible for locking down their mobile devices: 15% say their responsibility for this is "none to minimal," while about 10% have no password, PIN, or other security on the mobile devices they use for work.

The study, conducted by Osterman Research and commissioned by integrated identity management firm Centrify, included responses from more than 500 enterprise employees of organizations in North America with more than 1,000 employees.

Tom Kemp, CEO at Centrify, says it's surprising that 15% of the respondents had a password hacked or stolen. "And this means that the number is even greater, given that many users may not know their password has been stolen or don’t want to admit it. So we may be talking about 25% or more of passwords hacked," Kemp says in an email interview.

He also didn't expect to find that 10% don’t use a PIN or passcode for their mobile device. "The odds are too great your phone will get lost or stolen, so it is somewhat equivalent to putting your ATM passcode on a piece of tape and taping it to your ATM card and leaving your ATM card on tables in restaurants, etc.," Kemp says.

The survey also shows the challenges for enterprises to enforce corporate security policy on personally owned devices. "Better education is needed, but also corporations should look to use 'container' or 'workspace' technologies on mobile devices that provide a dual persona on the device," for example, Kemp says. Mobile vendors such as Apple and Samsung already are adding this type of workspace separation to their products, he says.

In a light-hearted -- yet revealing -- question about mobile-device loss, 32% say they would rather catch the flu or vacation with their mothers-in-law than inform their bosses that they had lost an unsecured mobile device.

"The [survey] results show that even employees of large multinational corporations, who are consistently warned of the dangers to their data directly from their IT department, are not keeping security top of mind," says Michael Osterman, principal of Osterman Research. "It is clear organizations need to continue to educate employees on the dangers and risks of mobile security but also look to solutions that safeguard the devices and applications which these employees have access to."

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 8:49:41 AM
Re: More than just device security
Speaking from an employee/user perspective, I think you needa combination of awareness and easy to use tools. I am well aware of the dangers stemming from mobility but if the tools my company gives me to securely manage my mobile devices are too cumbersome, the daily demands of my job will take precidence...
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:41:45 PM
Re: More than just device security
Unfortunately, no amount of education will make people voluntarily care about security.  In order to secure personal devices you have one of two options, either force the security using a program such as MaaS 360, Good Mobile, etc. or make the person share in the liability.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/25/2014 | 2:32:51 PM
user apathy or lousy MDM?
With 45% of employees accessing sensitive corporate data on their personal devices via unsecured wifi, either they have no clue, don't care, or their corporate policy and management of mobile is weak. That's a lot of airport WiFi exposure...
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/25/2014 | 2:08:18 PM
BYOD
BYOD - every security manager's nightmare. If any work related thing would keep me up at night, that is it. Both a curse and a boon to organizations, its wide ranging impacts are a formidable challenge.
kobrien82
50%
50%
kobrien82,
User Rank: Apprentice
4/25/2014 | 12:57:53 PM
More than just device security
One of the most telling points from this is about the proliferation of apps on devices that serve dual-duty as personal and professional account access points. We often see that employees bring a device with them into work; in organizations using public cloud services, the apps they then install on that device are frequently given tremendous amounts of access to highly sensitive organizational data via the user's work accounts. 

BYOD and what it represents (access, employee autonomy, mobility, etc.) are indicative of new threats and risks in the security world, and there's often a pretty significant delay between the emergence of risk and a decent response. Andrew Rose from Forrester wrote about this just yesterday - more than 60% of most employees they surveyed have no sense of personal responsibility for the enforcement of security policy at all, let alone on devices that they perceive of as their own. 

What's needed is a better mechanism for visiblity into these risk points, and an undertanding of how to distinguish productive and risky behavior within them. Until that happens, there's no chance of bringing the security/user gap.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...