Employers and Their Employees Aren't Practicing BYOD Security

Sue Marquette Poremba
Slide Show

BYOD: User Policy Considerations

Questions and key points companies should consider when establishing BYOD policies.

I've been talking about bring your own device (BYOD) and security risks a lot this year, and I expect that conversation to continue for quite a while. A lot of those conversations centered around the security policies and how employers and security departments can police devices that are owned by employees. Today, I'm going to look a little closer at the question of what employees are actually doing with the personal devices they use to access the company network and company data. Are employees doing the right thing to keep that information safe and secure?

 

The simple answer to that question is probably not. ESET recently conducted a Harris Interactive study and some of the findings included:

 

  • More than 30 percent who use their own laptop for work connect to the company via a "free" or public (likely hackable) network.
  • Thirty-seven percent of those surveyed do not use the basic auto-lock feature on their personal device.
  • Employees often let "other people" (family members, children, friends) use their personal electronic device.
  • A quarter of those surveyed revealed that they have been a victim of hacking or malware on an electronic device that they own.

 

The employees aren't the only ones to blame here. The survey found that 66 percent of employers have never bothered to institute a BYOD policy.


 

BYOD has been around for as long as employees have been able to use their home computer to log into their company email account. The trend has now exploded with smartphones and tablets, and the variety of new security threats has brought the topic to the forefront of security conversations. The bottom line, the survey found, neither employers nor employees are doing much to practice security. This isn't just a problem for the company, but for the person who owns the device as well, who likely has plenty of personal information on his computer that he or she puts at risk.

 

Here's a great example at how lax we can be with our devices and security, from the ESET Threat Blog:

If you stand at the back of a commercial flight these days you can see rows of passengers staring at a wide variety of devices, sometimes running cute little apps and games, and sometimes running business critical processes. ... And I'm sure you've seen this scenario: halfway through the flight a user switches from super-critical pieces of corporate work to checking out the app they downloaded while waiting in the airport terminal. Obviously that's a potential problem: bored users looking for cool things to install on their hip new piece of hardware. Maybe there's a compelling reason to get that app, but is there a security context in place whereby this activity is vetted, especially when they are connecting that device to the company network? Beyond that, are basic measures in place to protect the data on the device if it falls into the wrong hands?

The Threat Blog goes on to say the worst violators tend to be senior staff who more often use the newest devices, who perhaps should know better or be more aware or caring about protecting corporate data. But as more people at all employee levels decide to use smartphones and tablets, the security problems are only going to get worse - especially if the devices are used by employees who otherwise wouldn't have access to a company-owned phone or laptop. Are they going to care or know the company's BYOD security policy (if there is one)? Is the security staff going to automatically think to educate those employees?

 

Either way, the time has come for employers to set up security policies.



Add Comment      Leave a comment on this blog post
Apr 23, 2012 11:16 AM urthalebeg urthalebeg  says:

Excellent points that you laid out here!  I think that BYOD is a big issue, and a big security issue. In the healthcare industry BYOD has opened a lot of hospitals and doctor up to lawsuit and HIPAA violations because they are texting confidential patient info, and then losing the phone or it getting hacked.

We solved this issue by getting tigertext which is HIPAA complaint texting that works with any BYOD iphone android and blackberry. basically Tigertext has a closed system, that deletes the messaging after X period of time.

BYOD FLEXIBILITY - SECURITY

Great article, especially the part about flexibility. I understand that IT departments don't want the flexibility for security reason, but I agree that their needs to be flexibility.

At the hospital I work at, we have the burden of meeting HIPAA requirements, particularly since many doctors send and receive patient info via text messaging on thier BYOD phones.

This opens the hospital to HIPAA related lawsuit if the doctor loses their phone or it is hacked. If we are inflexible, then the doctors will not be able to handle as many patients, since texting patient info speeds things up.

In order to deal with the issue, we got the doctors to use Tigertext, which deletes the text messages after a period of time, making it HIPAA compliant.

I don't know if this is the best solution for everyone, but it was an easy and cost effective way to deal with this issue. It was added to the IT departments responsbilities, but once the departments business objectives where redefined on this issue, they were able to handle it better.

The BYOD issues that IT departments are dealing with are only going to become more complex in the future and your article raised some important points.

I also found this article on BYOD that adds to your article with some additional charts and findings:

http://byod.us/bring-your-own-device-importance-of-defining-business-objectives/

also: http://www.tigertext.com

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.