Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/5/2015
03:11 AM
Bogdan Botezatu
Bogdan Botezatu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Youre Doing BYOD Wrong: These Numbers Prove It

Almost 40% of users who connect personal mobile devices to corporate networks have no lock-screen mechanism set in place.

Just days before National Cyber Security Awareness Month, Bitdefender carried out a study on a representative chunk of Internet users living in the United States to evaluate their attitudes and behaviors related to data security at work.

This may sound like a quote from Captain Obvious if you work in infosec, but for the sake of the wider readership, I’ll still say it: We did not have great expectations on the consumer side, as it is prone to error and to trading security for convenience.

When the survey results came in, they were pretty much in line with what we already knew: BYOD is riding high this year, and, subsequently, 71% of employed Americans who own personal mobile devices are allowed to connect them to their employers’ secure networks.

This would be no problem, except that the same study found 39.7% of users who connect personal mobile devices (laptops, tablets, and phones) to corporate networks have no lock-screen mechanism set in place.

If lost or stolen, these devices would immediately expose their contents (private and work-related information) to unauthorized third parties, which puts companies in a weak position. In contrast, only 9.1% of BYOD users rely on biometric features (face, voice, or fingerprint recognition) as the preferred method for unlocking their mobile devices.

Another worrying aspect revealed by the study is that these devices rarely have emergency mitigation features: Two-thirds of employed Americans either don’t have the remote wipe function activated or don’t know about it, which would allow a third party to profit from the device, account, and data stored on it indefinitely. This includes company data and email accounts.

Device-sharing is another key focus of the Bitdefender study. According to the respondents, 29.7% of BYOD users would share their personal mobile devices with friends or family members even if they hold critical company data. Demographically, employees aged 45 to 64 share their devices to a lesser extent, while less-educated employees are more open to sharing.

As I mentioned above, this is almost excusable from the employees’ point of view. Who wants to waste their time drawing complex unlock patterns or to voluntarily subject their brains to the hassle of memorizing a medium-to-insanely complex domain password that changes every 30 days? Definitely not the 70% of US mobile device owners with a job.

What made me write about this study today, however, is a different aspect: the fact that a great deal of US companies have no policies for BYOD lovers, and the figures I shared above leave no room for interpretation.

Granted, these employees are the legal owners of their devices and can take all the risks they want, but it’s your duty as a security professional to safeguard your company’s data and intellectual property that may live on those unmanaged devices. And last time I checked, the cost of a data breach was infinitely larger than the price of a comprehensive mobile device management solution.

What about you? How are you dealing with the BYOD phenomenon in your organization?  

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the Web without protection or how to rodeo with wild ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickH859
50%
50%
PatrickH859,
User Rank: Apprentice
12/2/2014 | 6:36:41 AM
Our policy
Speaking about BYOD policy in the office I can say that as soon as a person attaches any BYOD to the network, they ask for the login and password and if you are a strange person you will never get into. Then i know that there is an excellent metwork monitoring solution Anturis which is able to see how my BYOD behaves in the network. When the tool sees a problem it sends the alert and the device can be blocked at all. I think that the rules are nice and rather strict but they are affective in general.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/25/2014 | 4:49:16 PM
Re: We Don't Allow It
And what are the consequences?
ODA155
50%
50%
ODA155,
User Rank: Ninja
11/24/2014 | 9:43:53 AM
Re: We Don't Allow It
@phoenix522,... How do you know?
phoenix522
50%
50%
phoenix522,
User Rank: Strategist
11/21/2014 | 5:46:24 PM
We Don't Allow It
We simply don't allow it. Getting caught putting company data on a personal device is a punishable offense in our company.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.