Nearly two-thirds of organizations do not enforce encryption policies, says analyst
LAS VEGAS--BYOD presents enterprises with a number of security and privacy challenges that must be addressed, Gib Sorebo, chief cybersecurity technologist at research firm SAIC, told an audience here at Interop on Thursday. Sorebo related that nearly two-thirds of organizations do not enforce encryption policies, which opens up corporate data to risk of unauthorized disclosure.
"Corporations are trying to deal with the BYOD security problem through a number of different ways. One of these ways, particularly for USB drives, is to mandate encryption. That really hasn't worked that well," he observed.
In addition, mobile malware has been on the rise recently--malware that can be transferred from a personal mobile device to the enterprise network, he noted. Android in particular has been a target of malware users, with a 162 percent rise in Android malware between 2011 and 2012, according to data compiled by mobile security firm NQ Mobile.
"Some of that risk might be lessened as the Google (NASDAQ: GOOG) Play platform and others change requirements of how apps are approved. Apple (NASDAQ: AAPL) hasn't had the same problem as Android, but there are still a lot of problems in that sphere. Hopefully, we can get the app ecosystem working a little bit better ... Right now it is problematic," Sorebo said.
On the behavioral side of BYOD security risks, half of people take confidential data from work to their home on portable devices, according to a study by market research firm Illuminas and the Consumer Electronics Association entitled A Tale of Two Techs.
"The line between corporate and personal is blurring ... We have to deal with the fact that data is going out of the enterprise," Sorebo said.
"For data like personal identifiable information, credit card information, and health information, we need to think long and hard about whether we want to segment that part of the data world from the rest of BYOD, particularly if the use cases don't demand that people bring home that information," Sorebo noted.
"We need to think through the business processes of how BYOD, mobile devices and other personal devices interact with this data ...You need to have security built into the applications you use and the protection of the data," he said.
Finally, three quarters of enterprises have suffered data loss from malicious insiders, according to a survey by the Ponemon Institute. "It is probably closer to 100 percent," Sorebo added.
"The threats are only going to increase--from foreign nation-states, cybercriminal organizations, hacktivists and script kiddies. This problem is not going away. The profitability of launching these attacks is only going to increase, and we have to get better in response to that," Sorebo concluded.