Good news for BYOD proponents: Few IT departments are resisting the surge of personal devices users are bringing into work, according to a recent BYOD survey from public research firm Ovum. Among the 3,800 users surveyed, just 8% said their company’s IT department actively discourages BYOD. Another 46% say personal devices are encouraged.
But the poll has some bad news for people who care about information security. Close to half (46%) of respondents say IT ignores the personal devices that are brought to the office, including 18% that say IT doesn’t even know personal devices are being used.
Of course, if personal mobile devices will be used to access corporate data, it’s clear that something has to be done to protect that information from theft, and to keep security threats from making their way onto to the corporate network.
For IT departments developing or revising their BYOD strategies, here are five of the most common mistakes companies make when it comes to BYOD security:
1. Losing track of personal devices
It’s hard to manage anything if it isn’t tracked, and BYOD is no exception. However, most IT departments don’t have an accurate view of how many users are bringing mobile devices to work, according to a recent study from Blue Coat.
The IT staffers polled believe that, on average, 37% of users are bringing their personal devices to work. However, 71% of the users surveyed say they are doing so.
2. Ignoring the most common threats
Much of the focus on mobile security is geared toward mobile malware — which does deserve attention, as viruses attacking mobile devices can do a lot of damage and are increasing exponentially.
However, Blue Coat warns about a more common BYOD security threat: mobile phishing. Mobile devices make it harder for users to identify phony URLs — for example, they can’t hover the cursor over the link like on a desktop — which makes it more likely that mobile users will fall for a phishing scam and click a malicious link.
3. Taking a one-size-fits-all approach
IT has a few options for managing BYOD security, with varying degrees of protection and inconvenience for users. For example, mobile virtualization can allow users to access work remotely without any data or apps being installed on their devices. While that’s highly secure, it’s probably not necessary for a low-level employee who just wants to get email on a smartphone.
To protect sensitive data while creating minimal annoyances for users, IT can segment people based on the level of sensitive data they need access to and formulate BYOD security plans accordingly.
4. Failing to educate users
As the consumerization of IT takes hold, it’s becoming harder for IT to control how people in the organization use technology, and instead must rely on user awareness training to influence behavior. However, when it comes to mobile security, users are much less aware of the potential for risk than IT pros.
Nearly all users (88%) believe their device is secure, according to Blue Coat’s survey. In comparison, 77% of IT employees say they believe there’s a high risk of malware spreading from a personal device to the corporate network.
5. Assuming users will obey BYOD security policies
Even if IT does it’s best to manage BYOD and set policies and technical controls to protect mobile security, users will likely try their hardest to avoid having to follow them. For most users, letting IT control what they do on a personal device is not an option. Among the users surveyed by Blue Coat:
- 88% wouldn’t allow restrictions on the sites they could access on their mobile devices
- 81% wouldn’t let the company monitor their web browsing, and
- 76% wouldn’t let IT log their access to corporate data from a personal device.
Therefore, IT must make sure they have ways to enforce their policies — for example, through mobile device management (MDM) software — and raise user awareness regarding safe use of mobile devices.