KnowBe4 and ITIC Latest Study Reveal Companies Lack Security for “BYOD”
According to new findings, KnowBe4, a Security Awareness Training firm, and research firm ITIC, a large percent of companies do not have security procedures in place for “bring your own devices” programs
(Clearwater, FL) September 4, 2012 – While BYOD (bring your own device) deployments have been among the biggest trends in corporate computing usage in the last 12 to 18 months, a recent study found that 71% of businesses that allow BYOD, have no specific policies and procedures in place to support BYOD deployment and ensure security. The study was conducted by KnowBe4, a security awareness training firm, and ITIC, a research and consulting firm based in the Boston area specializing in conducting independent surveys tracking crucial trends.
Nearly two-thirds of businesses now allow end users to BYOD and use them as corporate desktop or mobile devices to access organizational data including email, applications and sensitive data. BYOD usage does help businesses contain costs and lower the administrative burden of IT departments as end users manage, maintain and in many cases pay for their own devices, however: there is a huge downside to this trend: security.
Kevin Mitnick (former ‘most-wanted’ hacker), KnowBe4’s Chief Hacking Officer said: “Mobile devices are the new target-rich environment. Based on lessons learned in the early days of the personal computer, businesses should make it a top priority to proactively address mobile security so they avoid same mistakes [of the PC era] that resulted in untold system downtime and billions of dollars in economic loss.”
The ITIC/KnowBe4.com survey, polled 550 companies worldwide in July and August. The survey found that only 13% of respondents said their firms have specific policies in place to deal with BYOD deployments, while another nine percent indicated they were in the process of developing BYOD procedures.
More firms are changing to the BYOD model. Legal services leader Foley & Lardner deployed BYOD in October of 2009. According to a recent article, the firm implemented this program to cut costs and enable their employees to work anywhere, anytime. The security issue on personal devices is said to be protected from “within the secure confines of our data center” (1).
BYOD can render corporations extremely vulnerable to security breaches. Unless the corporation has strong, effective policy, procedure and security awareness training in place to govern BYOD usage, the company and its sensitive corporate data could be put in a precarious position in the event that a mobile device is lost, stolen or more likely, hacked, a real possibility in recent times. (2)
Among the other ITIC/KnowBe4.com survey highlights:
- Organizations are split on who takes responsibility for the security of BYOD devices. Some 37% of respondents indicated the corporation was responsible; 39% said the end users were responsible; 21% said both bear equal responsibility and the remaining three percent were “Unsure.”
- Presently, 51% of workers utilize smart phones as their BYOD devices; another 44% use notebooks and ultra books, while 31% of respondents indicated they use tablets (most notably the Apple iPad) and 23% use home-based desktop PCs or Macs.
- A 57% majority of respondents said the end users purchased/owned their BYOD devices; compared with only 19% that indicated the corporation buys and owns them.
- The top three challenges with respect to BYOD deployment were: difficulty of management and support (63%); provisioning new applications (59%) and security (48%).
ITIC principal analyst Laura DiDio added, “These survey findings should galvanize corporations to safeguard their data in advance of an expensive and potentially crippling loss or hack,” she said.
For necessary and vital security measures, every firm regardless of size should conduct a risk assessment review, adopt the ‘defense-in-depth’ strategy and create a strong first layer: security policy, procedure and security awareness training to deal with BYOD deployments.
The “defense-in-depth” strategy’s security awareness training is an important element in BYOD deployments, and Kevin Mitnick Security Training addresses that issue. This training specializes in making sure employees understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering, and are able to apply this knowledge to their personal devices used for and at the workplace.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Security Awareness Training. He and his colleagues work with companies in many different industries, including highly regulated fields such as healthcare, finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.