Bring-your-own-device (BYOD) programs have become increasingly popular with employees, many preferring the freedom to utilize the personal mobile device of their choiceand do business whenever and wherever they chose. However, according to a recent survey conducted by Coalfire, an IT governance, risk and compliance services company, the movement toward BYOD introduces a growing number of new mobile security risks and companies are not taking necessary measures to protect their sensitive company data. In its study, Coalfire found that BYOD programs lacking adequate security controls, employer policies and employee education are putting corporate data at risk.
The study, based on a poll of approximately 400 non-IT department individuals in a variety of industries, found 47 percent of respondents have no passcode on their mobile phone, even though 84 percent of individuals stated that they use the same smartphone for personal and work usage. When informed that a strong password should be comprised of at least 8 characters, including letters, numbers and symbols, only 50 percent of smartphone user respondents claimed to have strong passwords.
The survey also focused on user behavior. Coalfire found six in 10 respondents still write passwords down on a piece of paper while 36 percent of workers reuse the same password for different accounts. Thirty-two percent admitted to having joined unsecured, public Wi-Fi networks. Nearly four in 10 admitted to having clicked on links from emails purporting to be from financial institutions, a common phishing trap, while half of respondents said they clicked on links through social media. These high-risk security practices are especially worrisome when combined with users' access privileges. Thirty percent of smartphone users acknowledged that they have access to sensitive information, while another 16 percent weren't sure if they have such access.
While these statistics are troubling for organizations, employees are not solely to blame for potential mobile security risks associated with BYOD. In an IT security review, Coalfire auditors found that companies often have policies in place, but employees are not aware of them. Sixty-two percent of respondents said they had no knowledge of a company mobile device policy and only 25 percent reported a discussion from IT about mobile security.
Recommendations to help secure corporate data on mobile devices include creating a mobile device policy and communicating it early and often; Have employees read and sign off on the policy; Enforce strong passwords and password rotation; Use all methods available to control access to company data on mobile devices; Regularly test your defenses to make sure that infected devices and careless users don't place your organization in jeopardy; And last but not least, make certain employees use a responsible and approved mobile buyback and recycling company when it is time to retire their used devices to ensure sensitive data that may be left on the devices does not end up in the wrong hands.