Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/5/2015
03:11 AM
Bogdan Botezatu
Bogdan Botezatu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Youre Doing BYOD Wrong: These Numbers Prove It

Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.

Just days before National Cyber Security Awareness Month, Bitdefender carried out a study on a representative chunk of Internet users living in the United States to evaluate their attitudes and behaviors related to data security at work.

This may sound like a quote from Captain Obvious if you work in infosec, but for the sake of the wider readership, I’ll still say it: We did not have great expectations on the consumer side, as it is prone to error and to trading security for convenience.

When the survey results came in, they were pretty much in line with what we already knew: BYOD is riding high this year, and, subsequently, 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ secure networks.

This would be no problem, except that the same study found 39.7% of users who connect personal mobile devices (laptops, tablets, and phones) to corporate networks have no lock-screen mechanism set in place.

If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts companies in a weak position. In contrast, only 9.1% of BYOD users rely on biometric features (face, voice, or fingerprint recognition) as the preferred method for unlocking their mobile devices.

Another worrying aspect revealed by the study is that these devices rarely have emergency mitigation features: Two-thirds of employed Americans either don’t have the remote wipe function activated or don’t know about it, which would allow a third party to profit from the device, account, and data stored on it indefinitely. This includes company data and email accounts.

Device-sharing is another key focus of the Bitdefender study. According to the respondents, 29.7% of BYOD users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees aged 45 to 64 share their devices to a lesser extent, while less-educated employees are more open to sharing.

As I mentioned above, this is almost excusable from the employees’ point of view. Who wants to waste their time drawing complex unlock patterns or to voluntarily subject their brains to the hassle of memorizing a medium-to-insanely complex domain password that changes every 30 days? Definitely not the 70% of US mobile device owners with a job.

What made me write about this study today, however, is a different aspect: the fact that a great deal of US companies have no policies for BYOD lovers, and the figures I shared above leave no room for interpretation.

Granted, these employees are the legal owners of their devices and can take all the risks they want, but it’s your duty as a security professional to safeguard your company’s data and intellectual property that may live on those unmanaged devices. And last time I checked, the cost of a data breach was infinitely larger than the price of a comprehensive mobile device management solution.

What about you? How are you dealing with the BYOD phenomenon in your organization?  

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
phoenix522
50%
50%
phoenix522,
User Rank: Strategist
11/21/2014 | 5:46:24 PM
We Don't Allow It
We simply don't allow it. Getting caught putting company data on a personal device is a punishable offense in our company.
ODA155
50%
50%
ODA155,
User Rank: Ninja
11/24/2014 | 9:43:53 AM
Re: We Don't Allow It
@phoenix522,... How do you know?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 4:49:16 PM
Re: We Don't Allow It
And what are the consequences?
PatrickH859
50%
50%
PatrickH859,
User Rank: Apprentice
12/2/2014 | 6:36:41 AM
Our policy
Speaking about BYOD policy in the office I can say that as soon as a person attaches any BYOD to the network, they ask for the login and password and if you are a strange person you will never get into. Then i know that there is an excellent metwork monitoring solution Anturis which is able to see how my BYOD behaves in the network. When the tool sees a problem it sends the alert and the device can be blocked at all. I think that the rules are nice and rather strict but they are affective in general.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...