Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/5/2015
03:11 AM
Bogdan Botezatu
Bogdan Botezatu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Youre Doing BYOD Wrong: These Numbers Prove It

Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.

Just days before National Cyber Security Awareness Month, Bitdefender carried out a study on a representative chunk of Internet users living in the United States to evaluate their attitudes and behaviors related to data security at work.

This may sound like a quote from Captain Obvious if you work in infosec, but for the sake of the wider readership, I’ll still say it: We did not have great expectations on the consumer side, as it is prone to error and to trading security for convenience.

When the survey results came in, they were pretty much in line with what we already knew: BYOD is riding high this year, and, subsequently, 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ secure networks.

This would be no problem, except that the same study found 39.7% of users who connect personal mobile devices (laptops, tablets, and phones) to corporate networks have no lock-screen mechanism set in place.

If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts companies in a weak position. In contrast, only 9.1% of BYOD users rely on biometric features (face, voice, or fingerprint recognition) as the preferred method for unlocking their mobile devices.

Another worrying aspect revealed by the study is that these devices rarely have emergency mitigation features: Two-thirds of employed Americans either don’t have the remote wipe function activated or don’t know about it, which would allow a third party to profit from the device, account, and data stored on it indefinitely. This includes company data and email accounts.

Device-sharing is another key focus of the Bitdefender study. According to the respondents, 29.7% of BYOD users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees aged 45 to 64 share their devices to a lesser extent, while less-educated employees are more open to sharing.

As I mentioned above, this is almost excusable from the employees’ point of view. Who wants to waste their time drawing complex unlock patterns or to voluntarily subject their brains to the hassle of memorizing a medium-to-insanely complex domain password that changes every 30 days? Definitely not the 70% of US mobile device owners with a job.

What made me write about this study today, however, is a different aspect: the fact that a great deal of US companies have no policies for BYOD lovers, and the figures I shared above leave no room for interpretation.

Granted, these employees are the legal owners of their devices and can take all the risks they want, but it’s your duty as a security professional to safeguard your company’s data and intellectual property that may live on those unmanaged devices. And last time I checked, the cost of a data breach was infinitely larger than the price of a comprehensive mobile device management solution.

What about you? How are you dealing with the BYOD phenomenon in your organization?  

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickH859
50%
50%
PatrickH859,
User Rank: Apprentice
12/2/2014 | 6:36:41 AM
Our policy
Speaking about BYOD policy in the office I can say that as soon as a person attaches any BYOD to the network, they ask for the login and password and if you are a strange person you will never get into. Then i know that there is an excellent metwork monitoring solution Anturis which is able to see how my BYOD behaves in the network. When the tool sees a problem it sends the alert and the device can be blocked at all. I think that the rules are nice and rather strict but they are affective in general.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 4:49:16 PM
Re: We Don't Allow It
And what are the consequences?
ODA155
50%
50%
ODA155,
User Rank: Ninja
11/24/2014 | 9:43:53 AM
Re: We Don't Allow It
@phoenix522,... How do you know?
phoenix522
50%
50%
phoenix522,
User Rank: Strategist
11/21/2014 | 5:46:24 PM
We Don't Allow It
We simply don't allow it. Getting caught putting company data on a personal device is a punishable offense in our company.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.