We have tried for many years to explain the real cost to business owners of letting their employees bring their own devices (technology). We have explained security concerns, dispute if device is damaged over responsibility, who has control over content and data, etc. Yet, to be honest most owners let the short term financial gain out weigh any long term security concerns. So, we will try again today with even more evidence and data to back our recommendations.
Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.
Just days before National Cyber Security Awareness Month, Bitdefender carried out a study on a representative chunk of Internet users living in the United States to evaluate their attitudes and behaviors related to data security at work. This may sound like a quote from Captain Obvious if you work in information security, but for the sake of the wider readership, I’ll still say it: We did not have great expectations on the consumer side, as it is prone to error and to trading security for convenience.
When the survey results came in, they were pretty much in line with what we already knew: BYOD (Bring Your Own Device) is riding high this year, and, subsequently, 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ secure networks. This would be no problem, except that the same study found 39.7% of users who connect personal mobile devices (laptops, tablets, and phones) to corporate networks have no lock-screen mechanism set in place. If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts companies in a weak position. In contrast, only 9.1% of BYOD (Bring Your Own Device) users rely on bio metric features (face, voice, or fingerprint recognition) as the preferred method for unlocking their mobile devices.
Another worrying aspect revealed by the study is that these devices rarely have emergency mitigation features: Two-thirds of employed Americans either don’t have the remote wipe function activated or don’t know about it, which would allow a third party to profit from the device, account, and data stored on it indefinitely. This includes company data and email accounts. Device-sharing is another key focus of the Bitdefender study. According to the respondents, 29.7% of BYOD (Bring Your Own Device) users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees aged 45 to 64 share their devices to a lesser extent, while less-educated employees are more open to sharing.
As I mentioned above, this is almost excusable from the employees’ point of view. Who wants to waste their time drawing complex unlock patterns or to voluntarily subject their brains to the hassle of memorizing a medium-to-insanely complex domain password that changes every 30 days? Definitely not the 70% of US mobile device owners with a job. Granted, these employees are the legal owners of their devices and can take all the risks they want, but it’s your duty as a security professional to safeguard your company’s data and intellectual property that may live on those unmanaged devices. And last time I checked, the cost of a data breach was infinitely larger than the price of a comprehensive mobile device management solution.