Nearly 80% of the 600 survey respondents who completed the substantive sections of the survey allowed communications and collaborative apps on personal mobile devices, nearly 60% of which also have general Internet apps (such as web browsing and media file sharing), while another 44% allow VPN access from BYOD and 26% allow access directly to business systems.
Four percent of the respondents answered that personal mobile devices are also accessing control system applications, while another 8% are allowing access to field service applications.
"Personal mobile device access to critical business and infrastructure systems should raise huge red flags to organizations thinking that their only concern will be e-mail on employee-owned smartphones, pads and tablets," says Deb Radcliff, chief of the SANS Analyst Program, which developed the report.
"Meanwhile, the means to protect access, applications and data are more difficult to develop and unify in mobile BYOD computing."
For example, providing a unified identity management framework was both the least practiced and the most difficult to achieve, according to respondents.
They are also trying to discern which tools and techniques make the best sense in protecting their networks and data from BYOD risks.
Securing devices and the mobile platforms was the top method of protection being implemented by 66% of respondents, with application lifecycle management being practiced by only 36% of organizations.
"Mobile application development seems to be repeating many of the mistakes from the past," says Kevin Johnson, SANS Analyst and author of the report. "And these weaknesses need to be resolved due to the sensitive nature of the data on the devices."
Of those 253 survey takers that also develop applications, the majority are web-based, with 32% of developers saying they also developed line of business applications. The good news that nearly 60% of them indicated they had application security lifecycle processes embedded in their development and testing cycles.
"The prominent use of mobile devices together with cloud computing have even greater potential to expose critical information than in the past," adds Barbara Filkins, SANS Analyst consulting on this survey. "Mobile application development can no longer afford to ignore security best practices."
Full results will be shared during a June 6 webcast at 1 PM EDT, sponsored by Box, SAP and Veracode, and hosted by SANS at www.sans.org/info/124512. Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and mobility expert, Kevin Johnson.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted, and by far the largest source for world-class information security training and security certification in the world offering over 50 training courses. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 20 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community. (www.SANS.org)