Exploring the BYOD security dynamic
Webroot examined the use and security of personal mobile devices in the work environment from both the employee and employer perspectives.
The initial survey, conducted in late 2013, explored the prevalence of employee-owned devices, how they are being secured, and employee concerns regarding company-mandated security programs. The second survey, conducted in March 2014, looked at how IT managers view the risk of employee-owned devices, the prevalence of formal mobile security policies, and the extent to which employee input is included in developing BYOD policies.
Key findings:
- Although 98% of employers have a security policy in place for mobile access to corporate data, 21% allow employee access with no security at all.
- Over 60% of IT managers surveyed reported the use of personal devices by their employees and 58% indicated they were ‘very’ or ‘extremely’ concerned about the security risk from this practice.
- Most employee devices are lacking real security with only 19% installing a full security app and 64% of employees limited to using only the security features that came with their devices.
- Over 60% of employers indicated they seek employee input on mobile device security policies, but over 60% also said employee preference has little or no influence on mobile security decisions.
- Top concerns from employees regarding a company-mandated security app include employer access to personal data, personal data being wiped by an employer, and employers tracking the location of the device. Other concerns included impact on device performance and battery consumption.
- 46% of employees using personal devices said they would stop using their devices for business purposes if their employer mandated installation of a specific security app.
The report concluded that while there are many areas of agreement, there are also some striking signs that many employers and employees do not take adequate steps to protect company information, a weakness that could result in critical security breakdowns.
There is also evidence that employers may not be working collaboratively enough with employees in deciding how to manage BYOD security. This can create problems given the large number of personal devices being used for work purposes.
“Traditionally, employers could dictate the type of security used on each device, because all devices were company-issued and IT could fully manage them,” said Mike Malloy, executive vice president of products and strategy at Webroot. “Today, with so many personal smartphones, tablets, and laptops now being used to access corporate data, the productivity gains and cost-savings for employers are substantial, but IT security policy-makers have to think differently and work more collaboratively with their users to determine security policies and practices that address the concerns of both parties.”
From the results of the employee and employer research surveys, it appears that most disconnects over the use of personal technology to access corporate data can be solved by better communication between both parties over their security, data and privacy concerns.
When it comes to BYOD policies, Webroot recommends:
- Employees must have mobile device security, and employers need to ensure they install adequate protection and require features like password access are always turned on.
- Invest in educating employees about the risks associated with mobile devices and the benefits of securing devices. An informed user is more likely to buy into BYOD security requirements.
- Don’t mandate security solutions without engaging users first – otherwise, employers risk losing productivity from nearly 50% of employees.
- Acknowledge the employee’s BYOD concerns and personal privacy when setting mobile security policy by using a framework such as the “BYOD Bill of Rights.”
- Ensure browser data security breach concerns are answered to the organization’s satisfaction.
- It’s great to have policies, but they only work and are respected if they are enforced.
- Simplify management -letting employees choose different security is time consuming.