Organizations in dark as employees party on with BYOD
Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought.
A new study by the SANS Institute found that only 9 percent of organizations surveyed were “fully aware” of the devices accessing their networks, and only 50 percent were “vaguely or fairly” aware.
Meanwhile, organizations are scrambling to manage the risk, pursuing everything from user education and mobile device management to Network Access Control and monitoring, SANS said in announcing the study.
DISA office to manage mobile devices, online app store
Personal mobile devices give agencies an IT headache
The full report, SANS’ First Annual Survey on Mobility Security, produced with Bradford Networks, Hewlett-Packard and MobileIron, will be released April 12 during a webcast.
Among other results, the survey of 500 IT professionals found that fewer than 20 percent of organizations are using endpoint security tools, although the organizations using them are using agent-based, rather than agentless, tools.
"More than 60 percent of organizations today allow staff to bring their own devices," SANS Senior Instructor and survey author Kevin Johnson, said in the announcement. "With this type of permissiveness, policies and controls are even more important to help secure our environments."
The challenge of managing and securing personal devices has been building for some time. A SANS report released in November 2011, “Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network,” cited Gartner statistics showing that enterprises are aware of only 80 percent of all the devices on their networks.
The unknown 20 percent, often mobile devices including smart phones, tablets, notebooks and even gaming consoles, are unsecured, possibly jailbroken, and are threats to introduce malware to network resources they access, the report said.
Gartner predicted that, as a result of unsecured mobile devices, 80 percent of organizations that have "bring your own device" policies would see a 100 percent increase in botnet infections by 2013.
The report said standardizing or controlling mobile platforms, and using security measures such as Network Access Control, would be critical to preventing compromises.
Government agencies have been developing BYOD policies, in part out of recognition that many people are tied to their smart phones and tablets and are inevitably going to use them in their work. The White House is developing a federal BYOD policy.
But panel members in a session at this week’s FOSE conference warned that the practice could be outstripping policy efforts, Federal Computer Week reported.
The federal government, like other organizations, is adopting BYOD practices out of necessity, said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast,” he said.
Personal devices present a risk to internal networks for a variety of reasons, including the possibility that they could inadvertently introduce malware into systems, create nodes on networks that administrators are unaware of, and expose internal information if the devices are lost or stolen.
Another element of uncertainty is whether agencies have a right to the information on an employee’s phone or other mobile device if it is personally owned.
At FOSE, Burton discussed a recent Supreme Court decision holding that a municipality could download personal information from a city-owned phone issued to a police officer under investigation, FCW reported. Had that phone been personal property, the right to privacy might have changed the ruling, Burton said.
He also noted the potential threat of foreign agents capitalizing on BYOD policies to infiltrate networks.
“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.
Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.