Survey: Despite Security Incidents, BYOD Worth The Risks

SOURCE: Symantec

When it comes to mobile, BYOD is definitely here to stay. But, is it worth the risk?

This year at Symantec Vision we wanted to better understand our customers’ perceptions of how personally owned mobile devices are used in their organization.  To do this, we conducted a survey of 236 attendees asking how their company is addressing BYOD, including risks, challenges, polices, usage and management of mobile devices.

What we found is that while most organizations allow employees to use personal mobile devices for business purposes, they also accept that doing so will likely result in a mobile security incident. Survey respondents clearly stated that the use of BYOD is worth the risk, but that they need technology to enforce policies and protect their organizations from mobile security incidents.

Let me share a few of the key findings that I found interesting:

Mobile Device Usage

59 percent of respondents report their organizations do not yet give their employees the same productivity apps on BYOD and corporate-owned devices. This is wise until they have technology controls in place to protect the organization. However, employees tend to disregard policies and continue to use unauthorized apps for business purposes on mobile devices regardless of policies. The top four apps that employees use for business purposes or to access business information from their personally owned mobile devices in the past 12 months were:

– Web browser (72 percent)

– Email (58 percent)

– Contacts (56 percent)

– Calendar application (55 percent)

Mobile Policies

While organizations treat BYOD and corporate-controlled devices differently, 83 percent of organizations still allow employees to use personally owned devices for business use. However, 42 percent of employees use a personally owned mobile device for business, regardless of their company policy. While 80 percent of organizations enforce their policies, only 68 percent use technology to enforce it. Surprisingly, one in ten organizations (11 percent) use HR controls to enforce these policies, which typically means they operate on the honor system or base their enforcement on the whistle blowing of other employees.

Mobile Risks

The majority of organizations report at least one mobile security incident within the past 12 months. The top mobility incidents organizations experienced in the past 12 months include:

– Lost or stolen devices (60 percent)

– Spam (60 percent)

– Malware infections (43 percent)

– Phishing attacks (40 percent)

– Exposure of confidential information (19 percent)

However, 70 percent of organizations report that the benefits of mobility are equal to or greater than the risks and challenges associated with having mobile devices.

Mobility Management

Finally, 60 percent of organizations say that managing mobility is a challenge for them. As such 90 percent turn to mobility management technology to help them secure, provision, configure and otherwise protect their organization’s data that resides on the mobile devices of their company and employees.

Recommendations

We are committed to help organizations reap the productivity and other benefits that mobile devices provide. In fact, earlier this week, we introduced an updated version of Symantec Mobile Management Suite with single sign-on, SSL policing and secure email. As organizations turn to technology to enforce mobile policies, they can implement the following best practices to better protect themselves from some of the biggest risks of employees using personally owned mobile devices for work:

– Complement mobile device management with application and data protection, with remote data wiping, app-level security and encryption.

– Mobile apps must be able to contain information within a limited set of approved and managed apps.

– Utilize effective protection (not freeware) to secure assets against external attacks, rogue apps and unsafe browsing.

– Apply two-factor authentication, combining a password with something the user has (such as a token or a fingerprint).

– Apply policies with consistent standards across company- and employee-owned devices.

– Use complete application, data and device management policies both during information use and when it is at rest on devices.