Mobile devices continue to grow in use within the workplace, as do the vulnerabilities they bring with them, and it seems CIOs continue to have a challenge with the security implementation needed to protect their organization’s environment.
A recent Bitglass survey on BYOD program implementation and practice within organizations sheds some light on the challenges, as well as the fact that a good portion of security professionals themselves don’t implement their own program. The study found that:
- 28% of businesses are doing nothing at all about mobile security.
- 38% of IT security professionals and 57% of end users don’t participate in their companies’ BYOD programs.
- 78% of employees are unlikely to participate in a BYOD program if their employer has visibility into their personal applications and/or locations.
- 64% of employees wouldn’t participate in a BYOD program if their employer had the ability to wipe their personal device.
Furthermore security pros and end users don’t want enterprise software on their personal devices. 78% of respondents said that while they understand that companies need to protect sensitive data, they shouldn’t have the ability to wipe personal data from an employee’s mobile device. So, it seems the only way a majority of employees and security professionals would participate in their company’s BYOD program is if their employer could not view, alter or delete personal data or applications.
With this in mind it is obvious that CIOs have their work cut out for them. Some of the things they can do that can make a difference when employees aren’t following BYOD policies is to train employees on mobile security best practices, create restrictions to the kinds of corporate data accessed by employees using their personal devices on the premises, and implement a comprehensive mobile incident response strategy.
Additionally CIOs should ensure their mobile security strategy addresses the unique challenges of the technology they are using and that it’s not a repurposed traditional security solution. Also, keeping up to date with the latest known mobile security vulnerabilities and scheduling periodic quantitative mobile risk evaluations alternating between internal and external evaluations of their enterprise’s overall environment.
If you can’t ensure BYOD policies are met, not even by the CIO themselves, then taking additional steps to limit the data access employees have and ensuring you have eyes on your entire infrastructure are what can help prevent intrusion and insider threat from getting the best of you.
In what ways are you improving your organization’s mobile device security posture?
Photo courtesy of watcharakun