Employees who BYOD leave basic security behind, study finds

Eighty-one percent of people surveyed in a new study say they use a personal device for work — and more than half of them fail to take the most basic steps to secure their devices and data.

And they’re using those devices for work whether their employers have officially OK’d it or not. Sixty-six percent of those using a personal device for work say their organization does not have a “bring your own device” policy.

The survey, conducted online in February by ESET and Harris Interactive, included 1,320 employed U.S. adults, sought to determine the extent of BYOD practices and how well, or poorly, those devices are being secured, according to a by ESET security researcher Cameron Camp.


Related stories:

Organizations in dark as employees party on with BYOD

Personal mobile devices give agencies an IT headache


For one thing, it found that BYOD doesn’t always have to mean smart phones and tablets. Desktop PCs, for example, were the personal devices most commonly used for work.

The breakdown of devices used for work:

  • Desktop, 56 percent.
  • Laptop, 51 percent.
  • Smart phone, 38 percent.
  • Tablet, 15 percent.
  • Other, 4 percent.
  • None, 19 percent.

More important than just using their devices for work-related tasks, which could be as simple as checking e-mail via Web access, is whether they use those devices to store access and/or company information. Those numbers from the survey:

  • Desktop, 47 percent.
  • Laptop, 41 percent.
  • Smart phone, 24 percent.
  • Tablet, 10 percent.

Camp said those numbers reflect a “fairly logical adoption curve,” with established, and still more prevalent, devices such as desktop and laptops being used more often for work.

But concern over BYOD has grown recently in connection with mobile devices, as more and more people buy them, travel with them, and mix business and personal activity on them. Government agencies have been working on BYOD policies at least in part out of recognition that the use of mobile devices for work is inevitable.

And mobile devices, which can be easily lost or stolen and can pick up infections via some of the apps that abound for them, aren’t often being secured, the survey found.

Auto-locking features, a basic step that offers at least some protection if a smart phone or tablet is lost, are largely being ignored, according to the survey results. Less than 10 percent of people using tablets for work have enabled auto-lock; about 25 percent of smart-phone users have, and about a third of laptop users.

Auto-lock with password protection was in use for less that 50 percent of laptop users, less than one-third of smart-phone users and only 10 percent of tablet users, according to the survey.

Overall, company data was being encrypted on only about a third of BYOD devices.

The upshot of the study: Personal devices, and increasingly mobile ones, are being used to access and store data at work, and fewer than half of them are being secured by even the most basic protective measures.

As organizations develop their own BYOD policies, Camp recommended they could immediately increase their security by implementing those basic steps: turning on auto-locking, setting up password protection and enabling encryption.
 

Reader Comments

Tue, Apr 10, 2012 sitweak

The problem is that you can limit personal devices out-of-the-blue. There has to be a solid basis behind it. There need to be policies on how to access company data from personal devices. These policies have to be developed with-in the countries laws/rights and finally need to be accepted by the end-user.

Tue, Apr 10, 2012 Old CIO DC

Is the author suggesting that I can enforce standards on personal devices? Do I have the right to physically restrain an employee and take his/her personal PDA to ensure it is password protected because it was used to access an Outlook OWA to get company mail? I think this issue is a little more complicated than it is portrayed.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above