BYOD Security Policies Lacking

Sue Marquette Poremba
Slide Show

BYOD: User Policy Considerations

Questions and key points companies should consider when establishing BYOD policies.

An article at Computerworld ponders whether or not bring your own device (BYOD) is giving the "inmates in the asylum" all the control.

 

BYOD is a security risk for companies, one that is going to get talked about a lot now that technology has made sure we never ever have to be disconnected from our jobs. A recent Harris Interactive Poll found that more than 50 percent of employees use portable devices to take sensitive information outside the company walls. Now those portable devices include not only smartphones and tablets, but also laptops and flash drives. The vast majority of companies allow employees to use those devices and have an encryption policy for those devices, the poll found, but only 34 percent actually enforce those policies on personal devices (and just 35 percent for company-owned devices).

 

Another survey done by SolarWinds and Network World isn't any more promising. Interviewing 400 IT professionals about BYOD, more than 65 percent said they don't have the necessary tools in place to manage personal devices on the corporate network, and 27 percent said they aren't certain of all the personal devices that are accessing the network.

 


No wonder it seems like the inmates are running the asylum. It seems like companies are saying, "Here we trust you to be safe and secure with your device and we know you won't do anything foolish to compromise the network or corporate data." If you think that not developing and enforcing a BYOD security policy isn't a big deal, you are setting yourself up for a failure of the security system.

 

Let's face facts: People are careless. Look at the number of forgotten phones and computers at TSA security checkpoints. It baffles me - how can you forget to pick up your phone or computer? And people are nosy. They will look over your shoulder to see what you are working on. And then there are the phone snoops - probably the same people who snoop in your bathroom cupboard. If your phone is sitting on a table or countertop during a social gathering, the phone snoop will casually pick it up and go through your text messages, pictures, email, without thinking twice about it. Someone tried to do that with my phone once, but my phone is password-protected. Too many people don't bother with that simple level of security.

 

Kevin Vlasich, cryptography and information security specialist at Imation, provided me with a few tips to share with IT professionals on how to better secure the network and company data from the influx of BYOD. Vlasich warns to always assume the following:

 

1. The worst! Don't hire a penetration tester. Save your money and assume "they" will get in - 75 percent of organizations have suffered data loss from negligent or malicious insiders!

 

2. Employees will use their personal devices on the corporate network, even if they are told not to. More than 50 percent of employees use portable devices to take confidential data out of their companies every day.

 

3. That your employees value convenience more than security. If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don't underestimate the ingenuity of employees looking to circumvent procedures that slow them down.

 

4. That flash drives will be lost and IT will never know: Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported, $10 flash drives are quietly replaced. Use encrypted flash drives or don't use them at all - right now only 35 percent of companies enforce data encryption on company-issued devices.

 

5. That an organization's first and last defense against a security breach is its own employees. Training employees on good security practices offers the most bang for the buck. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements - if it looks too good to be true, it really is.



Add Comment      Leave a comment on this blog post

Apr 20, 2012 6:57 AM Spencer Parkinson Spencer Parkinson  says:

Sue, great read! I feel another important point that needs made is that organizations need to stop focusing solely on the devices, be they corporate- or employee-owned, as that is only one part of the equation; and to be honest, it's not the most important part at that. The primary focus should be on protecting sensitive information no matter where it ends up, mobile or otherwise. That is why here at Symantec we have such a broad range of technologies as part our enterprise mobility strategy-from MDM, MAM and MIM to DLP and Authentication.

Spencer Parkinson

Symantec

Reply
Apr 20, 2012 9:27 AM Jonathan Jonathan  says:

I do not know what is so hard about resisting the urge to bring your own devices when you work in a high-level security environment with sensitive information. All five points you listed are so true. Penetration testers can often waste time as you know what you already know. It's the culture that we live in that people feel entitled to have their devices. My time is precious to me I can't stand having to learn and go through extra precautions and inconveniences because professionals lack common sense when it comes to security measures. I mean that's literally what they teach you in cyber security 101. 

Reply
Jun 24, 2013 8:52 AM cerpen cinta cerpen cinta  says:
All five points you listed are so true. Penetration testers can often waste time as you know what you already know. It's the culture that we live in that people feel entitled to have their devices. My time is precious to me I can't stand having to learn and go through extra precautions and inconveniences because professionals lack common sense when it comes to security measures Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data