At the recent RSA event in San Francisco there was a tremendous amount of attention paid to external threats and to issues surrounding bad actors behind perimeters which consensus seems to be no longer exist. In fact, it appears that for better or worse, identity is the new perimeter. A lot less attention was paid to the good old fashion way security is breached, i.e., lost or stolen devices and removable drives.
This does not mean, particularly in a Bring Your Own Device (BYOD) world, that the risks associated with lost and/or pilfered devices have gone away. In fact, as a new study conducted by data governance software company Varonis highlights, if anything, things have gotten worse and more vigilance is actually something to consider. This is true whether your device of preference is supplied by you or is company or government issued.
BYOD is making internal security complicated
Cutting to the chase, the Varonis study found:
- Half of companies have lost a device with important company data on it
- This has security implications for over a fifth of respondents
- 57 percent of employees believe that BYOD puts their personal data at risk as well
- Despite these concerns, 86 percent of the workforce are obsessed with their devices
In short, as individuals we want access to “E”verything, be it professional or personal, and as individuals we are willing to risk the consequences. This attitude of course is why CSOs have nightmares.
Other interesting findings included:
- Almost three quarters of employees are now allowed to access company data from their personal devices
- Employees whether on BYOD or organization issued devices are device obsessed with nearly 86 percent saying they use their devices for work all day and night
- 44 percent doing so even during meals
- 20 percent of respondents consider themselves "borderline workaholic"
- 15 percent bring their devices on vacation
- Seven percent claim that their work and home lives are one
The above says quite a bit about knowledge workers, and how BYOD has transformed the way we live and work. It does make one wonder about what we all are and where we are heading. That is the subject for another day. The issue it exposes is that based on reliance on personal devices, the physical security of them should be considered as if not more important than what they have on them (i.e., malware) and what happens when they are communicating. Who has them and what they might have access to once in their possession is non-trivial. The potential for breaches and data leakages from devices in the wrong hands is a near and present danger.
As the first list above notes, lots of people know of instances of lost or stolen devices and acknowledge that not only their disappearance, but their organization is at risk. Interestingly, the study did find that implementing a BYOD policy only seems to have a small, and arguably statistically insignificant, positive effect on security as seen in the five percent drop in incidents at companies that have a BYOD policy.
What kind of protection is being used?
Verronis found that not surprising the most popular method to secure mobile devices is password protection (57 percent), followed by 35 percent who wipe devices remotely, and 24 percent who use encryption. Where things get a bit contradictory is in that number. While people may be concerned about the impact of a compromised device on their company, a majority believe that using a personal device for work could pose a security risk to them personally through potential leakage and misuse of confidential health and personal information.
And, another conundrum for employers is the finding that companies that allow BYOD have a significant productivity drain over those that don't as nearly a quarter of employees said they spend more time than they care to admit using their personal device for personal use during work hours.
"Being connected to work around the clock appears to be accepted as the 'new normal,'" said David Gibson, VP of Strategy at Varonis. "While organizations are capturing the many benefits of BYOD -- and the willingness of the workforce to embrace this style of working -- companies must protect themselves by:
- Developing a BYOD policy that lets people know what is and isn't allowed.
- Making sure controls are appropriate to the risks -- if the data is valuable, organizations need to control where it resides and who has access to it, need to be able to audit use, spot abuse.
- Monitoring the effects of frequent interruptions and 'always on' habits to watch for signs of impaired productivity or health.
"Only by limiting the potential damage -- both to organizations and employees -- can organizations make the most of a trend that will continue to leap forward, whether businesses allow it to or not."
What all of this portends is going to be fascinating. The impacts are like a multi-headed hydra. BYOD clearly increases productivity by extending the reach of work and the time it can be conducted, but how much of that time is problematic. Monitoring/remote disabling solutions are now available for everything from tracking misplaced or stolen mobile devices to “containerized” devices that create boundaries between personal and work information and apps, and Security- as- a- Service (the new SaaS) is picking up steam to assure people, devices, processes, apps and the networks they use, are all locked down according to best practices. However, we are still early on the adoption curve on much of this because it seems that only a crisis gets C-level attention to spend on such mitigation capabilities.
In addition, in many ways we are in unchartered waters. Is BYOD going to drive a push for more “big brother” surveillance of employee communications which could affect morale and the ability to attract talented people? What about liability if a corporate administrator steals or wipes clean my personal information? Whose head will roll if a device is stolen and reported as such but is not disabled in a timely fashion?
These are all imponderables but important, and that is just the tip of the iceberg. If you are interested in reading the full report it is available to download at http://hub.varonis.com/BYOD-report.
Edited by Brooke Neuman