BYOD Survey: How Are Employees Using Their Devices On Your Network?August 1, 2014 by Daniel Humphries
By 2017, Gartner predicts that half of all employers will require their employees to bring their own devices to work. The era of BYOD, it seems, is inevitable—and very nearly upon us. In fact, one recent survey indicates that even if companies try to fight the tide, there’s little they can do to stop it: employees will find a way to use their own devices, no matter what.
Like it or not, businesses will have to deal with the risks that BYOD brings. This includes the loss of visibility once company data is transferred to a personal device, multifarious privacy and legal concerns and of course, the threat that user-owned devices could be compromised.
These are complex issues, with no easy solutions. But as the future hurtles towards us, we wanted to learn if firms are even thinking about the basics when it comes to BYOD.
To gain some insight, we surveyed 385 adults in the U.S. who use their own devices (e.g. smartphones, tablets, laptops and PCs) to access resources on their company’s internal networks.
- Less than 50 percent of firms have BYOD policies in place.
- Over half of respondents have transferred company files to their own devices.
- Only 49 percent of respondents implement security updates when they’re released.
Only 39 Percent of Workplaces Have BYOD Policies
BYOD policies will inevitably vary from firm to firm, and some will be better than others. But first we wanted to know: how many people are actually bound by a BYOD policy in the first place?
Percent of Workplaces With BYOD Policies￼
Our data reveals that, in spite of all the risks incurred by allowing foreign devices to access company data, a mere 39 percent of respondents work under the restrictions of a BYOD policy.
The rest of our respondents are roaming in a wilderness of potentially unsecured devices, operating without any guidance from their employers. After all, if 39 percent don’t have a BYOD policy and an additional 20 percent don’t know if they do or not, this means nearly 60 percent of employees are improvising their own rules—or not following any at all.
Think of it this way: if 60 percent of highway drivers in the U.S. had no idea what the speed limits were, or that they’re supposed to wear seatbelts and not drive under the influence, this would be deemed an unacceptable risk on both the municipal and federal level. A massive public education campaign would ensue, police would be handing out tickets left and right and the nation’s roads would be strewn with wreckage.
In the world of business and BYOD security, however, the attitude towards lax policies and enforcement can be summed up as, “Meh.” And that’s a bit crazy. Implementing a policy is obviously no guarantee that people will follow it, but not having one at all is surrendering the battle before it’s even begun.
Over Half Transfer Work Files to Personal Devices
Once employees start using on their own devices, it’s natural to want to transfer work documents to them, for obvious reasons. Didn’t get that important task done during the day? No problem—just send it to your home laptop and finish it in the evening.
Doing so, however, increases the risk of data loss. After all, how do you know employees aren’t sending sensitive documents to their personal devices, or making copies and storing them across multiple devices? What happens, then, if any of these devices gets lost?
To gauge the scale of the problem, we asked respondents how often they transferred work data to their personal devices:
Respondents’ Habits of Transferring Data to Personal Devices￼
*Chart values have been rounded to the nearest whole number.
Here, at least there’s some good news: there doesn’t seem to be a wholesale flood of important data out of businesses: 48 percent of respondents say they’ve never transferred files onto personal devices.
Now if we were to return to our highway metaphor, this is certainly an improvement over our previous result. But if a fifth of drivers are careening down the roads with no regard for speed limits, businesses can still expect a great deal of carnage to ensue.
Meanwhile, 35 percent of respondents admitted to transferring files, but reassured us that these files contained “nothing sensitive.” While we can hope this statement is accurate, it’s open for interpretation: who’s to decide what is sensitive? Finally, 18 percent of employees said they’d transfer anything needed to get work done—which means they’re potentially risking any work files they have access to.
These findings emphasize the need for a strict BYOD policy that uses a risk-based approach to define what is and isn’t allowed to leave the internal network. For instance, it probably doesn’t do much harm to allow the marketing team to use personal devices to work on their campaigns from home, but any financial or proprietary data must be subject to strict controls.
Less Than Half Keep Personal Devices Promptly Patched
Finally, we decided to evaluate another risk of BYOD: what happens if an employee device contains viruses and trojans, or is even an unwitting member of a zombie army?
For instance, if an employee’s device is infected with keylogging malware, then credentials, passwords and other highly sensitive information accessed in your network could be vanishing into the hands of criminals.
This means it’s essential that employees keep the security on their own devices patched. To learn how many are in fact doing so, we asked respondents how quickly they install the latest security updates on their devices.
Frequency of Security Updates on Personal Devices
*Chart values have been rounded to the nearest whole number.
As the chart reveals, a third of respondents maintain very poor security on their devices: they either only update them occasionally, never do or have no idea whether their systems are patched. Our metaphorical highway, once again, is full of people driving at high speed without brakes and seat belts.
Even those business users that do update their devices right away may still be a security risk. A recent Gartner survey found that, of the quarter of employees that experienced a security issue in 2013, just 27 percent felt they had an obligation to alert their employer.
This leaves us with 49 percent of respondents who are doing a good job in regard to personal security on their own devices, while an additional 21 percent update “frequently.” This is good, but not great in today’s world of highly organized hackers and Zero Day Threats—those that can exploit previously unknown vulnerabilities on computers before the good guys have time to patch them.
Tips on Mitigating BYOD Risk
While BYOD policies will vary from firm to firm, there are certain basics every company’s should address. For instance, it’s hard to imagine a policy that doesn’t stipulate that employee-owned devices must be password protected, and that these passwords must be strong (e.g. at least six characters). Without this, any criminal with half a brain might find his (or her) way into your network on a stolen device.
Firms can also use policies to ban employees from downloading apps other than those appearing on an approved list. Issues of acceptable use are also key: companies must define which resources employees can access using their own devices.
Fortunately, many organizations have already done the legwork in creating BYOD policies, which can serve as models for other companies to base their own on. There’s even a detailed template from the White House itself, which comes complete with case studies drawn from different federal agencies.
According to Rick Doten, a leading authority on mobile security and CIO and CSO of enterprise mobility firm DMI Inc., one important thing to note is that mobile devices pose less of a risk than PCs.
“Mobile users won’t ‘infect’ a network like a PC can,” he says. “There isn’t a concept of mobile ‘malware,’ it’s really only malicious apps that access data on the phone (which you unknowingly allow it to), or features on the phone, like your microphone or camera.”
To this end, mobile device management (MDM) systems can add an additional layer of protection beyond a BYOD policy by helping mitigate the risks of mobile devices. For example, these solutions enable companies to enforce password protection and encrypt or remotely wipe sensitive data if a device is stolen.
On the other hand, when an MDM solution is placed on a personal device, user privacy becomes an issue, which means your firm’s legal counsel should be involved in the decision-making process.
As for personal PCs, the malware and privacy risks tend to be much greater, particularly because they’re used to access more sensitive data. “You don’t do your taxes on your mobile device, for instance,” Doten notes. While there are numerous solutions for managing these risks, they’re often expensive and difficult to manage.
“The best option is a virtual desktop (VDI), like Citrix,” Doten says. “It provides the user with a virtual environment that keeps all data on the server, and the user interacts with it like a mainframe. Nothing is stored on the user’s device, and the session is gone when they log out.”
The results of our survey make it clear that, as the world of BYOD hurtles towards us, many organizations are unprepared. But here’s the good news: it’s possible to take action right away to mitigate the risk. As Doten points out, there are tools and best practices out there that can help protect against the dangers your business faces.
No organization will ever be fully secure, of course, and there will always be some crazy and reckless drivers on our metaphorical highway. But it’s certainly possible to begin reducing the number of accidents we’re experiencing on a daily basis—so let’s get started.