Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/5/2015
03:11 AM
Bogdan Botezatu
Bogdan Botezatu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

You’re Doing BYOD Wrong: These Numbers Prove It

Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.

Just days before National Cyber Security Awareness Month, Bitdefender carried out a study on a representative chunk of Internet users living in the United States to evaluate their attitudes and behaviors related to data security at work.

This may sound like a quote from Captain Obvious if you work in infosec, but for the sake of the wider readership, I’ll still say it: We did not have great expectations on the consumer side, as it is prone to error and to trading security for convenience.

When the survey results came in, they were pretty much in line with what we already knew: BYOD is riding high this year, and, subsequently, 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ secure networks.

This would be no problem, except that the same study found 39.7% of users who connect personal mobile devices (laptops, tablets, and phones) to corporate networks have no lock-screen mechanism set in place.

If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts companies in a weak position. In contrast, only 9.1% of BYOD users rely on biometric features (face, voice, or fingerprint recognition) as the preferred method for unlocking their mobile devices.

Another worrying aspect revealed by the study is that these devices rarely have emergency mitigation features: Two-thirds of employed Americans either don’t have the remote wipe function activated or don’t know about it, which would allow a third party to profit from the device, account, and data stored on it indefinitely. This includes company data and email accounts.

Device-sharing is another key focus of the Bitdefender study. According to the respondents, 29.7% of BYOD users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees aged 45 to 64 share their devices to a lesser extent, while less-educated employees are more open to sharing.

As I mentioned above, this is almost excusable from the employees’ point of view. Who wants to waste their time drawing complex unlock patterns or to voluntarily subject their brains to the hassle of memorizing a medium-to-insanely complex domain password that changes every 30 days? Definitely not the 70% of US mobile device owners with a job.

What made me write about this study today, however, is a different aspect: the fact that a great deal of US companies have no policies for BYOD lovers, and the figures I shared above leave no room for interpretation.

Granted, these employees are the legal owners of their devices and can take all the risks they want, but it’s your duty as a security professional to safeguard your company’s data and intellectual property that may live on those unmanaged devices. And last time I checked, the cost of a data breach was infinitely larger than the price of a comprehensive mobile device management solution.

What about you? How are you dealing with the BYOD phenomenon in your organization?  

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickH859
50%
50%
PatrickH859,
User Rank: Apprentice
12/2/2014 | 6:36:41 AM
Our policy
Speaking about BYOD policy in the office I can say that as soon as a person attaches any BYOD to the network, they ask for the login and password and if you are a strange person you will never get into. Then i know that there is an excellent metwork monitoring solution Anturis which is able to see how my BYOD behaves in the network. When the tool sees a problem it sends the alert and the device can be blocked at all. I think that the rules are nice and rather strict but they are affective in general.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 4:49:16 PM
Re: We Don't Allow It
And what are the consequences?
ODA155
50%
50%
ODA155,
User Rank: Ninja
11/24/2014 | 9:43:53 AM
Re: We Don't Allow It
@phoenix522,... How do you know?
phoenix522
50%
50%
phoenix522,
User Rank: Strategist
11/21/2014 | 5:46:24 PM
We Don't Allow It
We simply don't allow it. Getting caught putting company data on a personal device is a punishable offense in our company.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18923
PUBLISHED: 2019-11-13
Insufficient content type validation of proxied resources in go-camo before 2.1.1 allows a remote attacker to serve arbitrary content from go-camo's origin.
CVE-2010-4664
PUBLISHED: 2019-11-13
In ConsoleKit before 0.4.2, an intended security policy restriction bypass was found. This flaw allows an authenticated system user to escalate their privileges by initiating a remote VNC session.
CVE-2010-4817
PUBLISHED: 2019-11-13
pithos before 0.3.5 allows overwrite of arbitrary files via symlinks.
CVE-2013-3097
PUBLISHED: 2019-11-13
Unspecified Cross-site scripting (XSS) vulnerability in the Verizon FIOS Actiontec MI424WR-GEN3I router.
CVE-2013-3366
PUBLISHED: 2019-11-13
Undocumented TELNET service in TRENDnet TEW-812DRU when a web page named backdoor contains an HTML parameter of password and a value of j78G�DFdg_24Mhw3.