Organizations in dark as employees party on with BYOD

Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought.

A new study by the SANS Institute found that only 9 percent of organizations surveyed were “fully aware” of the devices accessing their networks, and only 50 percent were “vaguely or fairly” aware.

Meanwhile, organizations are scrambling to manage the risk, pursuing everything from user education and mobile device management to Network Access Control and monitoring, SANS said in announcing the study.

Related stories:

DISA office to manage mobile devices, online app store

Personal mobile devices give agencies an IT headache

The full report, SANS’ First Annual Survey on Mobility Security, produced with Bradford Networks, Hewlett-Packard and MobileIron, will be released April 12 during a webcast.

Among other results, the survey of 500 IT professionals found that fewer than 20 percent of organizations are using endpoint security tools, although the organizations using them are using agent-based, rather than agentless, tools.

"More than 60 percent of organizations today allow staff to bring their own devices," SANS Senior Instructor and survey author Kevin Johnson, said in the announcement. "With this type of permissiveness, policies and controls are even more important to help secure our environments."

The challenge of managing and securing personal devices has been building for some time. A SANS report released in November 2011, “Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network,” cited Gartner statistics showing that enterprises are aware of only 80 percent of all the devices on their networks.

The unknown 20 percent, often mobile devices including smart phones, tablets, notebooks and even gaming consoles, are unsecured, possibly jailbroken, and are threats to introduce malware to network resources they access, the report said.

Gartner predicted that, as a result of unsecured mobile devices, 80 percent of organizations that have "bring your own device" policies would see a 100 percent increase in botnet infections by 2013.

The report said standardizing or controlling mobile platforms, and using security measures such as Network Access Control, would be critical to preventing compromises.

Government agencies have been developing BYOD policies, in part out of recognition that many people are tied to their smart phones and tablets and are inevitably going to use them in their work. The White House is developing a federal BYOD policy.

But panel members in a session at this week’s FOSE conference warned that the practice could be outstripping policy efforts, Federal Computer Week reported.

The federal government, like other organizations, is adopting BYOD practices out of necessity, said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast,” he said.

Personal devices present a risk to internal networks for a variety of reasons, including the possibility that they could inadvertently introduce malware into systems, create nodes on networks that administrators are unaware of, and expose internal information if the devices are lost or stolen.

Another element of uncertainty is whether agencies have a right to the information on an employee’s phone or other mobile device if it is personally owned.

At FOSE, Burton discussed a recent Supreme Court decision holding that a municipality could download personal information from a city-owned phone issued to a police officer under investigation, FCW reported. Had that phone been personal property, the right to privacy might have changed the ruling, Burton said.

He also noted the potential threat of foreign agents capitalizing on BYOD policies to infiltrate networks.

“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.


About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected