Despite the rise in the use of personal devices for business use, U.S. consumers are showing scant concern for security when it comes to bring your own device (BOYD). According to a recent survey by Gartner, Inc. a quarter of business users admitted to having had a security issue with their private device in 2013, but only 27% of those respondents felt obliged to report this to their employer. The survey was conducted in the fourth quarter of 2013 with 995 full or part-time workers in the U.S., all of whom use a private device for work purposes.
Meike Escherich, principal research analyst at Gartner, said in his blog that employee use of private mobile devices to access corporate information and services is exploding and with this trend comes a series of potential drawbacks.
According to Escherich:
The threat of cyber attacks on mobile devices is increasing and can result in data loss, security breaches and compliance/regulatory violations. One of the biggest challenges for IT leaders is making sure that their users fully understand the implications of faulty mobile security practices and to get users and management to adhere to essential steps which secure their mobile devices. For many organizations, overcoming BYOD security challenges is a full-time task, with a host of operational issues.
Nearly half of the survey respondents said they spend more than one hour each day using private devices for work purposes. The data also suggests that around half of respondents regularly use their devices for social as well as productivity tasks. This has different implications. It might point to employees considering their personal devices as necessary tools for their jobs.
On the other hand, it also points to work-related documents regularly being transferred to private devices, leaving the security of the company network. In fact, 20% of respondents also stated that they do access data behind the workplace firewall using private devices.
Whatever the activity and the duration, any work activity on a private device inherently carries the threat of a security breach. That leaves IT organizations scrambling to come up with the right mix of mobile security defenses to balance protection, governance and user flexibility.
Businesses will need help from telecoms service providers (TSPs) to evaluate and implement policies and procedures, ongoing user education, and sourcing and deploying mobile security, encryption and mobile device management (MDM) solutions.
The key to having a secure device is making sure it is well-managed. Enterprises are being compelled to make decisions about whether or not to allow employee-owned devices to access their enterprise's network and information.
Failure to embrace BYOD will force it underground and into the shadows, where it will have the potential to publicly expose private data and open the enterprise to a data breach situation.
In our survey, 26% of respondents said their employer required use of BYOD devices and 15% had signed a BYOD agreement. A third of respondents have employers who are aware but don’t have a policy in place, and the rest said their employer was either not aware or they didn't know. This means 59% of survey respondents who regularly use their private devices for work have not yet signed a formal agreement with their employer.
Organizations that do decide to allow employee-owned devices need to develop solid BYOD policies based on their business requirements and risk profiles. At the moment, BYOD laptop, smartphone and tablet security policies are still incomplete in many companies, and contain gaps and other inconsistencies that don't measure up to business obligations. Many enterprises (especially in the smaller and midsize sector) lack the proper organizational structures to create these policies and must reorganize to provide the necessary governance for a successful mobility implementation.
For a BYOD program to work there has to be strict policy enforcement and compliant users—an issue that CIOs and IT directors are grappling with right now. All policy agreements have to be created with clear guidelines for cases of security breaches.