BYOD Security Puts Corporate Data at Risk

The BYODevice movement is gaining momentum. A recent survey found that by year end 2011, nearly half of all devices in the workplace were employee owned.

The Bring Your Own Device (BYOD) phenomenon is gaining momentum. A recent survey by CIO Magazine found that by the end of 2011, nearly half of all mobile devices used in the workplace were employee-owned.

The simple fact is that employees like to use their own stuff. As consumers, they have access to the best devices – iPad, iPhones, Android phones, tablets and notebooks – and all the apps that come with them. They don’t want the hassle of carrying around two different phones, and don’t want to use the clunky laptops and complicated software offered by their employers.

Rather than fight it, many companies are embracing the BYOD trend. Kraft, Whirlpool and some divisions of IMB are some of the larger names that have already established BYOD guidelines for their employees. However, at the same time, there are some serious concerns when it comes to BYOD security, especially around corporate data.

Is BYOD a security nightmare?

Without proper corporate guidelines in place around BYOD, employers can easily lose control over how and where their corporate information is stored.

With new cloud computing technologies like SaaS, users can now self-select and install their own business applications, without the need to consult IT. This presents significant security concerns, as many employees are unaware of the risks involved in using certain applications. The recent Dropbox security breach is a timely reminder of how easily information can be compromised.

It’s not uncommon for employees to use personal cloud storage solutions, like Dropbox, iCloud and Google Drive, to store and access business files remotely. They allow for better collaboration with employees across different geographic areas, or who may be working from home.

However, these solutions often lack the vigilant security protection required by corporations to protect confidential data, like data encryption, managed user permissions and remote document control. It’s no surprise that in May 2012, IBM banned the use of Dropbox by all of its employees.

Lax approach to security causes major headaches for employers

Another concern around BYOD is the lax approach some employees take toward mobile device security.

According to a recent survey by Coalfire, an IT governance, risk and compliance services company, 47 percent of respondents had no password protection on their mobile phone, even though 84 percent admitted to using this device for work. Forty-two percent of tablet users also admitted to missing this important layer of protection.

What’s more, 36 percent of respondents said they reused the same password, and 60 percent are still writing down passwords on a piece of paper!

Employees unaware of data security risks

The Coalfire survey also revealed that nearly half (49 percent) of respondents said their IT departments had not discussed mobile security or cyber security with them. Only 25 percent reported a discussion with IT, suggesting that 75 percent were left to exercise their own judgment.

What’s more, fifty one percent said their company did not have the ability to remotely wipe data from their mobile device if it was locked or lost — a huge problem if the device is also not password protected.

Security policies need to be updated

In order to reduce the security risks associated with BYOD initiatives, companies need to review and update their existing security policies to include the use of personal devices in the workplace. Businesses should also consider implementing the following 5 initiatives.

5 Ways to Boost BYOD Security

Arm your employees with knowledge: Educate employees on the security risks and best practices for using personal devices in the workplace
Power-on passwords: Enforce power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device in the event that it’s lost or stolen. Companies should also extend corporate policies around password-strength and password expiry for personal devices
Monitor business app usage: Employees should provide a list of the business apps they are using, along with the account information, to IT. This includes granting IT permission to access the site and check the site before the employee shuts it down (especially after the employee leaves)
Set stronger authentication: Enforce a stronger authentication process if users are allowed to store sensitive data or trade secrets on smartphones or tablets
Encryption or nothing: Make encryption the price of being allowed to keep corporate data on mobile devices. This can be challenging in mobile security because there are different encryption options for various mobile platforms. Build and maintain a list of ‘approved’ devices that meet your security criteria.

BYOD cannot be realistically eliminated from the workplace. Employers must therefore learn to adapt and be vigilant in protecting their corporate information. Without the proper guidelines in place and adequate employee education around data security, companies could stand to lose a whole lot more than they bargained for.

Debbie Stephenson

Debbie Stephenson is a former Content Marketing Manager at Firmex.