Weak BYOD Security Endangering Company Data

Businesses are in danger of data breaches without informing employees of BYOD security policies and best practices.

As more employees bring their smartphones, tablets and notebooks to work and businesses implement bring-your-own-device, or BYOD, initiatives to increase worker productivity, they may also be putting corporate data at risk due to a lack of adequate security controls and employee education, according to a survey conducted by Coalfire, an IT governance, risk and compliance services company.

The majority of individuals are remain lax when it comes to mobile device security, especially how they store passwords, according to the study, which is based on a poll of 400 non-IT department individuals in a variety of industries in North America. The survey found 47 percent of respondents have no passcode on their mobile phone, even though 84 percent of individuals stated they use the same smartphone for personal and work usage. What's more, 36 percent said they reuse the same password, and 60 percent of respondents said they are still writing down passwords on a piece of paper.

"The BYOD trend is not slowing down, and while it has many benefits, it's also introducing a number of new security risks that may be foreign to many companies," Rick Dakin, CEO and chief security strategist with Coalfire, said in a prepared statement. "The results of this survey demonstrate that companies must do much more to protect their critical infrastructure as employees work from their own mobile devices, such as tablets and smartphones, in the workplace. Companies need to have security and education policies in place that protect company data on personal devices."

The survey suggested businesses are still lacking when it comes to educating employees on mobile security risks. Nearly half (49 percent) of respondents said their IT departments have not discussed mobile security or cyber-security with them, and 51 percent of respondents stated their companies do not have the ability to remotely wipe data from mobile devices if they are locked or lost. Only 25 percent reported a discussion from IT about mobile security, suggesting 75 percent were left to their own best judgment.

The report also indicates IT departments are also failing to communicate the policies they do have with employees, with 61 percent of respondents saying they had no knowledge of a social media policy, while 62 percent said the same about policies for mobile device usage. Smartphone users are also engaging in risky behavior, with 30 percent of respondents acknowledging that they have access to sensitive information, and another 16 percent unsure if they even have such access. These responses were similar to what we heard from tablet users: 34 percent of respondents said they have access to sensitive information and 13 percent unsure if they have such access.

"In contrast, Coalfire's audits typically show at least some IT support for mobile devices, and we commonly see policies that allow IT to de-activate and erase the data on lost devices," the report concluded. "However, employees do not seem to be aware of this: Only 21 percent of smartphone users knew that IT could wipe their phones. It seems that the mobile-device management (MDM) technology is well ahead of the communication efforts at many organizations."