BYOD Programs Pose Security Risk for Businesses: Ovum

Bring your own device (BYOD) initiatives may be here to stay, but businesses are at risk from security threats if they don’t manage devices properly.

Organizations that adopt bring-your-own-device programs without implementing mobile management policies could be exposed to security risks and resultant data losses. A survey of 4,000 full-time employees by technology consulting firm Ovum found that while nearly 70 percent of all smartphone-owning professionals are using their personal device to access corporate data, 80 percent of BYOD activity remains inadequately managed by IT departments.

The survey found nearly half of the IT departments of the respondents’ employers either did not know of BYOD or were ignoring its existence, operating a “don’t ask, don’t tell” policy, while just 8.1 percent actively discouraged it. Levels of ignorance by IT were significantly higher in mature economies with more rigid working practices, for instance Europe, when compared with high-growth economies such as Brazil, India and South Africa.

“Despite much speculation, BYOD is here to stay. Therefore, it’s worrying to see evidence of such a high proportion of businesses burying their head in the sand when it comes to planning adequately for it,” Ovum senior analyst Richard Absalom said in a statement. “BYOD multiplies the number of networks, applications and endpoints through which data is accessed. These are the three main points at which data is vulnerable; so, if left unmanaged, BYOD creates a huge data security risk.”

Ovum’s research shows that 50 percent of employees said privacy concerns would stop them accessing their own personal apps on a corporate-provisioned smartphone. For half of all employees, a corporately provisioned smartphone or tablet is not a perfect substitute for a personally owned device, indicating the consumerization of IT is playing a role not only in the way the mobile workforce develops, but how IT departments are going to manage security for a wide range of devices.

“The way people work will have a profound effect on how BYOD is rolled out and managed within an organization. As such, it’s imperative that IT departments act quickly to develop and implement clear policies governing BYOD,” Absalom continued. “BYOD can provide an added advantage in terms of productivity and efficiency but to do this it will be important to get the right blend of process, policy, people and technology management.”

Ovum’s report is the last in a spate of surveys this year highlighting the risks BYOD programs without structured use policies can pose to an organization.

A September study from telecom and IT services provider Grudi Associates suggested security is a major downside risk to BYOD initiatives, with data protection, human resources issues, compliance regulations and employee-usage policies all potentially complicating BYOD initiatives and eroding whatever cost advantage the program would produce.

A Trend Micro report released in September raised similar concerns. Cyber-criminals employ multiple compromised endpoints and social networking sites to infect a wide range of targets, including the most popular mobile devices such as those running Google Android and Apple iOS, according to the study. During a typical month, 4.3 percent of endpoints become infected, which translates to an infection rate of 52.1 percent annually, according to survey results, with a growing number of organizations reporting security violations through their use of the Web and email.