The Dark Side of BYOD

I’m in the final stages of analyzing the InformationWeek 2012 Mobile Security Survey that collected information from 322 business technology professionals, and from what I’m seeing many organizations are taking a rather cavalier attitude towards security as we enter the age of BYOD. The survey found that 62% of respondents now have policies allowing for the use of personally owned devices and another 24% are moving that way, so a whopping 86% have or will soon have a BYOD policy.

While the BYOD ship has clearly sailed, it might be the Titanic of IT initiatives. What many seem to be missing is that even if the device is owned by the user, the responsibility for securing corporate information on that device still resides with IT – and what we are seeing is “allowed” should cause the CIO and CSO to shudder. While 86% have or are developing a BYOD policy, only 40% of those have a mobile device management (MDM) system and require the users to run the MDM client. One of the oldest adages in security is “trust but verify.”

If we needed any more assurance that it’s not a good idea to leave security up to users, the South Carolina Department of Health and Human Services recently discovered that an employee of the state's Medicaid program had transferred personal information on 228,435 Medicaid beneficiaries to his personal email account. Only 21% of our respondents recognized forwarding corporate information to personal email accounts as a major security concern.

IT professionals seem understand what’s at stake, as 84% of respondents cited “Lost or stolen devices” as a top mobile security concern, more than twice the percentage of any other response (up to 3 responses were allowed). Still, the steps they were taking to keep information on mobile devices from falling into the wrong hands were almost laughably inadequate.

The basic rule is that if there’s corporate information on it, the mobile device should have a strong power on password and the information on it should be encrypted, preferably hardware encrypted. Storing corporate data on at least some devices was supported by 80% or more of organizations surveyed, yet only 47% required power on passwords; 44% of those don’t require the password to be longer than four characters! If that’s not lax enough, 26% of respondents reported they required hardware encryption only if it is supported on the device. That’s not one of those requirements where we look for “if’s.”

Surprisingly, one of the more prevalent security concerns, reported by 32% of respondents, was penetration of the corporate Wi-Fi network. We did have security concerns with the early Wi-Fi protection measures, specifically the Wired Equivalent Privacy (WEP) encryption, which could be cracked with free tools available on the web. Those issues have long been addressed by WPA2 encryption that has been a mandatory capability on all Wi-Fi Certified devices since 2006. Currently 64% of respondents use WPA2, but 24% report they are still using WEP. Most home Wi-Fi networks have put that out to pasture. Only 26% had the ability to detect rogue access points, another long recognized Wi-Fi introduced vulnerability.

Mobile device management has been a hot topic, but it appears to be more a “subject of conversation” than an investment. Currently only 25% of respondents reported having MDM systems in place with another 31% planning to add them within the next 24 months. At the moment, Blackberry device management still has the highest percentage of organizations on board with 63% using it, though if users stick to their current purchase plans, they should equal BlackBerry (at 70%) next year and pass them the year after that.

The popularity of Apple iOS devices is confirmed in a separate report released by mobile security/device management firm Good Technologies who reported on their new device activations for their servers for the first quarter of 2012. Good saw iPhone 4S activated more than twice as often as the next largest entrant – and that was the iPad 2. Those two along with the iPhone 4 and rapidly rising iPad 3 essentially dominated over the Android activations. Good isn’t used on the BlackBerry platform, so it has no visibility into those activations.

One last anomaly was in protection against mobile malware, in which Android is the primary target. While 75% of respondents identified mobile malware as a major security concern, only 20% had anti-malware protection for all platforms.

While all of this might not be good news for security, it does represent an opportunity for systems integrators. With 31% of organizations planning to invest in MDM solutions in the next two years, that seems to be an opportunity worth pursuing. Similarly, if roughly a quarter of organizations are still using WEP to protect their WLANs, there is a strong upgrade case that can be made there.

All in all what we see is a lot of reckless behavior surrounding the move to BYOD, which now might stand for “Bring Your Own Disaster.” We will be talking about these and other mobility opportunities at the UC Summit in La Jolla next month.

The challenge will be getting organizations to invest in the absence of a widely recognized security incident occasioned by poorly protected smartphones or tablets. However, the threat is real, organizations seem poorly protected on a number of fronts, so that does offer the opportunity for a conversation with the CSO.

The full report will be available at InformationWeek Reports May 14.