Survey: Most companies with BYOD users don't have BYOD policy
While companies are moving to allow personally owned devices from smartphones to laptops into the workspace, most of those companies haven't implemented security, created a bring-your-own-device policy or even trained their employees on safe practices when using their own devices. The survey conducted by Harris Interactive and sponsored by security vendor ESET showed that two-thirds of those surveyed who use a personal device say their employer has not implemented a BYOD policy.
"Security in an organization begins with a policy," said ESET's Stephen Cobb. "If you have a user base that's not educated about data, and you have your company data on their device, that's a risky position to be in."
Adding to the risk are behaviors that the Harris Interactive survey found that are highly risky. Nearly a third of all those surveyed connect to their company's network with an open "free" network. Even more don't use auto-lock or passwords on their devices. Employees surveyed reported that they frequently allow other people to use the personal electronic device that contains company information.
Not surprisingly, a quarter of those surveyed report having been a victim of hacking or malware on their devices.
"What you have is a pattern of behavior in which people become used to having their own device," Cobb said. "You either have to have policies that they follow or provide a device." Cobb said that the problems of maintaining control over company data in personal devices is complex, and requires that employees cooperate. "It's up to the individual to either accept company restrictions or use a company device," Cobb said.
Cobb noted that in many cases, companies will have to simply provide devices such as smartphones to their employees so they can maintain control of the data. But he noted that before they take that step there are other things to try. "Companies need to have the conversation and develop the policy and develop training," he said. This means that companies need to include their employees in developing the BYOD policies, determine what they need to use those devices for and then develop relevant training.
Cobb provided some tips for handling employees who bring their own devices:
- Provide cybersecurity training to all BYOD employees. That training should include physical security, Wi-Fi security and social engineering attacks. Try to provide at least four hours of face-to-face learning.
- Make password-protected auto-locking a requirement on personal devices used for work and make sure employees know what makes a password strong.
- Develop and enforce a clear, written policy that lets employees know what work-related data they may access with their own devices.
"The tricky area is where there are good business applications and it's very tempting for the employee to use that for their own stuff," Cobb said, "but you need to maintain a secure posture. IT has to have control," he said.
- see this infographic (.pdf) of the study's findings