BYOD Policies Lag, Despite Employee Use of Personal Devices

A survey indicates nearly 60 percent of employees are making up their own bring your own device (BYOD) rules as they go along.

byod and mobile security

In spite of all the risks incurred by allowing foreign devices to access company data, a mere 39 percent of respondents work under the restrictions of a bring your own device (BYOD) policy, according to a survey by Software Advice.

An additional 20 percent of respondents said they don’t know if they do or not, indicating nearly 60 percent of employees are making up their own BYOD rules as they go along--or more alarmingly, not following any at all.

The survey also revealed more than half of respondents have transferred company files to their own devices, and just 49 percent of respondents implement security updates when they’re released.

Meanwhile, 35 percent of respondents admitted to transferring files, but said that the files contained nothing sensitive. In addition, 48 percent of respondents say they’ve never transferred files onto personal devices, and 18 percent said they had never transferred files.

A third of respondents maintain very poor security on their devices, meaning they either only update them occasionally, never do or have no idea whether their systems are patched.

"Policies are going to vary from firm to firm but, for example, you are always going to want strong password controls in place," Daniel Humphries, researcher for Software Advice, told eWeek. "Employees have to keep their own devices patched, fixing the latest security vulnerabilities by installing updates immediately, and corporate data should be encrypted in case the device is stolen."

Humphries also recommended there be a clear separation of personal and corporate data on the device- companies can provide corporate apps for their data.

"You definitely want to get your lawyers to look over the document to avoid ambiguity--and liability," he added. "These are just some of the big things to consider. The good news is that there are lots of good templates and guides online and it’s worth taking the time to explore them, to pick what applies to you."

While almost half (49 percent) said they update their security immediately upon receiving an update, 9 percent said they were unsure how frequently they update and a substantial 11 percent said they never update at all.

This lack of concern for security is even more troubling when viewed in the light of a recent Gartner study that revealed a quarter of business users admitted to having had a security issue with their private device in 2013, but only 27 percent of those respondents felt obliged to report this to their employer.

"I think companies have to signal clearly to their employees that security is a priority for everybody, including the upper echelons. Some hastily banged out policy lists aren’t going to change anything, nor are a few email bulletins," Humphries said. "Education has to be ongoing. Some experts claim that tying the issues to their employees’ own experience is key--that if you teach people how to be secure about what matters to them in their own lives, then eventually that will pay off in their work life."

The report surveyed 385 adults in the U.S. who use their own devices, like smartphones, tablets, laptops and PCs, to access resources on their company’s internal networks.