Employees increasingly use personal devices, including, tablets, smartphones, and laptops, to accomplish their work faster, more flexibly, and from anywhere. Yet, while BYOD (Bring Your Own Device) offers more control and independence for workers, it can reduce the control organizations have over securing their networks.
Endpoint protection and robust encryption are generally mandated on company-owned devices, but personal devices often lack these safeguards. Moreover, devices used for personal computing and messaging, when off the company grid, lack the protections of the network firewall, leaving the entire organization exposed to hacker exploits, or malware infection, when the device re-connects to the network.
More than a quarter of companies reportedly lack security requirements for smartphones.1 However, companies that do implement security policies for mobile devices still face the threat of employees trying to bypass these requirements. A Ponemon and Websense joint survey highlighted just that—59% of respondents claimed that employees circumvent or disengage security features such as passwords and key locks.2
Lost Personal Devices: A Data Minefield
In the case of a lost or stolen personal device that stores company-owned data, an employee may be unwilling to have their device data wiped remotely. In fact, only 55% of mobile workers report having remote wipe enabled on their smartphones, and just 30% on their tablets.”2 The inability to rapidly dispose of sensitive data, particularly unencrypted data, exposes organizations to considerable risk.
What You Can’t See, Can Byte You!
A Mobilisafe study encompassing 130 million device connection events reported that over a third of the devices with network access and/or corporate data went inactive for more than a month.3 The presence of so many personal devices used for work that are unaccounted for, and that may retain sensitive data and user credentials, poses a latent threat to organizations.
Outdated Firmware and Version Control
The sheer number and variety of personal devices and operating systems that may be in use across an enterprise poses daunting challenges for IT. Mobilisafe found that 71% of mobile devices contained high severity operating system and application vulnerabilities. Mobilisafe theorizes that severe vulnerabilities could be reduced 4-fold simply by updating firmware.3
Malware Breeding Grounds
Smartphone users routinely download music and games, access applications, and execute files with minimal regard to file source or authenticity. Ponemon and Websense reported that, in a one year period, 51% of surveyed organizations experienced data loss resulting from employee use of insecure mobile devices.2
With all the potential pitfalls, it’s easy to understand why some people more cynically refer to BYOD as “Bring Your Own Danger/Disaster.”
Taking BYOD Head-On
Organizations that try to ban personal devices outright, may repel productive and creative workers, or induce employees to work outside the rules.
A successful BYOD security policy should strive to:
- Establish full visibility of all devices connected to the network
- Enforce strong access control passcodes on all devices
- Mandate minimum system and device requirements
- Continuously monitor for vulnerabilities, exploit attempts, misuse, and devices that have gone off-line
- Encrypt all company data on personal devices
- Enforce use of antivirus, data loss prevention, and application control
- Allow company access to the device for forensics, or to wipe company data
- Measure compliance
As a leader in network security, WatchGuard Technologies develops solutions to make your BYOD environment a safe and productive ecosystem. By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.
- iPass. “The iPass Global Mobile Workforce Report: Q3 2012: Understanding Global Mobility Trends and Mobile Device Usage Among Business Users”. August 2012.
- Ponemon Research Institute (sponsored by Websense). “Global Study on Mobility Risks: Survey of IT & IT Security Practitioners”. February, 2012.
- Mobilisafe. “Four Steps To Mitigate Mobile Security Risks”. White Paper.