KnowBe4 and ITIC Latest Study Reveal Companies Lack
Security for “BYOD”
According to new findings, KnowBe4, a Security
Awareness Training firm, and research firm ITIC, a large percent of companies do
not have security procedures in place for “bring your own devices”
programs
(Clearwater, FL) September 4, 2012 – While
BYOD (bring your own device) deployments have been among the biggest trends in
corporate computing usage in the last 12 to 18 months, a recent study found that
71% of businesses that allow BYOD, have no specific policies and procedures in
place to support BYOD deployment and ensure security. The study was conducted by
KnowBe4,
a security awareness training firm, and ITIC,
a research and consulting firm based in the Boston area specializing in
conducting independent surveys tracking crucial trends.
Nearly two-thirds of businesses now allow end users
to BYOD and use them as corporate desktop or mobile devices to access
organizational data including email, applications and sensitive data. BYOD usage
does help businesses contain costs and lower the administrative burden of IT
departments as end users manage, maintain and in many cases pay for their own
devices, however: there is a huge downside to this trend: security.
Kevin
Mitnick (former ‘most-wanted’
hacker), KnowBe4’s Chief Hacking Officer said: “Mobile devices are the new
target-rich environment. Based on lessons learned in the early days of the
personal computer, businesses should make it a top priority to proactively
address mobile security so they avoid same mistakes [of the PC era] that
resulted in untold system downtime and billions of dollars in economic
loss.”
The ITIC/KnowBe4.com survey, polled 550 companies
worldwide in July and August. The survey found that only 13% of respondents
said their firms have specific policies in place to deal with BYOD deployments,
while another nine percent indicated they were in the process of developing BYOD
procedures.
More firms are changing to the BYOD model. Legal
services leader Foley & Lardner deployed BYOD in October of 2009. According
to a recent article, the firm implemented this program to cut costs and enable
their employees to work anywhere, anytime. The security issue on personal
devices is said to be protected from “within the secure confines of our data
center” (1).
BYOD can render corporations extremely vulnerable to
security breaches. Unless the corporation has strong, effective policy,
procedure and security awareness
training in place to govern BYOD usage, the company and its sensitive
corporate data could be put in a precarious position in the event that a mobile
device is lost, stolen or more likely, hacked, a real possibility in recent
times. (2)
Among the other ITIC/KnowBe4.com survey
highlights:
- Organizations are split on who takes responsibility for the security of BYOD devices. Some 37% of respondents indicated the corporation was responsible; 39% said the end users were responsible; 21% said both bear equal responsibility and the remaining three percent were “Unsure.”
- Presently, 51% of workers utilize smart phones as their BYOD devices; another 44% use notebooks and ultra books, while 31% of respondents indicated they use tablets (most notably the Apple iPad) and 23% use home-based desktop PCs or Macs.
- A 57% majority of respondents said the end users purchased/owned their BYOD devices; compared with only 19% that indicated the corporation buys and owns them.
- The top three challenges with respect to BYOD deployment were: difficulty of management and support (63%); provisioning new applications (59%) and security (48%).
ITIC principal analyst Laura DiDio added, “These
survey findings should galvanize corporations to safeguard their data in advance
of an expensive and potentially crippling loss or hack,” she said.
For necessary and vital security measures, every
firm regardless of size should conduct a risk assessment review, adopt the
‘defense-in-depth’ strategy and create a strong first layer: security policy,
procedure and security awareness training to deal with BYOD deployments.
The “defense-in-depth” strategy’s security awareness
training is an important element in BYOD deployments, and Kevin
Mitnick Security Training addresses that issue. This training
specializes in making sure employees understand the mechanisms of spam,
phishing, spear-phishing, malware and social engineering, and are able to apply
this knowledge to their personal devices used for and at the
workplace.
About Stu Sjouwerman and
KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which
provides web-based Security Awareness Training to small and medium-sized
enterprises. A data security expert with more than 30 years in the IT industry,
Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an
award-winning anti-malware software company that he and his partner sold to GFI
Software in 2010. Realizing that the human element of security was being
seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime
tactics through advanced Security
Awareness Training. He and his colleagues work with companies in
many different industries, including highly regulated fields such as healthcare,
finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist:
The Biggest Financial Threat Facing American Businesses Since the Meltdown of
2008.
No comments:
Post a Comment