The BYOD & Security Report: More indications of BYOD risks
The second annual BYOD & Security Report is out, and unsurprisingly, some serious security concerns are at the forefront of the findings. Readers of this blog know about a good number of the security issues revolving around Bring-Your-Own-Device (BYOD). This survey adds more detail to those issues.
If the numerical results regarding BYOD and mobile security seem slightly different from those of the earlier survey I covered, it’s because the sampling is slightly different. In this survey, 1122 information security professionals were polled – nearly triple that of InformationWeek’s survey. Regardless, the overall trends remain the same: IT professionals are concerned with the security risks inherent to BYOD, and most simply aren’t prepared to manage that risk at all.
First, a quick summary of the survey’s chief findings regarding trends in BYOD:
- BYOD is driven by the desire/need to maintain employee mobility (57%), satisfaction (56%), and productivity (54%).
- The dominant form factors for BYOD devices are smartphones (87%), laptops (79%), and tablets (68%).
- The most common risk control measures are password protection (67%), (remote) data wiping (52%), and encryption (43%).
- The biggest BYOD security concerns consist company/client data loss (67%), unauthorized access to company data and systems (57%), and downloading apps/content with security exploits (47%).
- The single most cited negative impact of mobile security is the additional IT resources needed to manage security incidents (30%).
Some deeper details
Now, none of this should come as a great surprise, especially the rationale for adopting BYOD and the dominant form factors in the practice. So, I won’t be touching on those any further today. What bears further consideration are the security issues. Notably:
- Despite a majority of survey participants adopting password protection and remote data wiping, far too few have implemented attack and penetration testing of mobile applications (only 11%). Worse yet, 15% have no security control measures at all.
- As noted, 30% of respondents were most concerned with the added cost of security management for mobile devices. What’s worse is that another 27% admitted that they simply don’t know about the potential negative impact of mobile security concerns for their organization. How safe is data in those organizations, I wonder?
- Building on this, the survey further found that the organizations of 21% of respondents have BYOD in wide use without any organizational support. On the one hand, that means less support costs for the organization. On the other hand, it implies that unsecured devices are running unchecked and rampant throughout those organizations…
Remember how I mentioned Aberdeen’s calculation that a company adopting BYOD will likely spend an extra $170,000 per year on hidden costs for 1,000 mobile devices? Well, that’s the added cost of BYOD in the normal course of business affairs. What about the cost of BYOD in major security breaches?
Loss of company data, and the price of digital forensics
When it comes to data breaches that involve the loss of privileged company data, the actual dollar value is pretty unknowable. It’s not going to be cheap, though. Think about it: What happens if the breach is by a competitor, and the data loss lets everybody in on the secrets of your core competencies? How much is that worth?
And in this scenario, perhaps the riskiest source of competitor breach comes from what Paul Luehr (a database forensics expert) calls the “Bad Leaver”. The Bad Leaver is an employee who has left a company under bad circumstances, and has likely taken intellectual property to a direct competitor.
A particularly nasty way that the Bad Leaver could leak your intellectual property is through text messaging since the content appears only on the phones and nowhere else. While service providers can furnish log information such as connection times and numbers connected, the content of individual messages aren’t saved. In the worst case, according to Luehr, some messages are designed to disappear even from the phone itself. This could be accomplished via apps such as Snapchat…
And this brings us to digital forensics. The noun basically tells you all you need to know: It’s a branch of forensic science that encompasses data/content recovery from and investigation of digital devices. And its deployment is on the rise, for both business and legal reasons. Given what I’ve mentioned above, I doubt you would find this surprising.
The other thing you wouldn’t find surprising is that digital forensics doesn’t come cheap. Although there are a range of providers with varying prices, the digital forensic analysis of smartphones (i.e., analysis of security breach and data recovery) will likely cost several thousand dollars per phone analyzed. And the bigger the case, the bigger the price tag…
The final word for now…
There are some very serious security issues regarding mobile device use for which you must be aware if you’re going to enact and enforce good mobile security policies. You really don’t want to be in the 27% of IT professionals mentioned above who don’t know about the negative impact of mobile security issues!
In the spirit of community and helpfulness, I encourage you to share any experiences you’ve had with mobile security in the comments section below. In the meantime, if you have any questions about mobile security, contact us at Cimpl! We’re Canada’s leader in IT and telecom expense management, and our years of experience have given us deep insights regarding mobility. We’d love to hear from you and give you helping hand!