Policies allowing employees to bring their own devices to work (BYOD) have the unintended consequence of increasing the total number of vulnerable devices connecting to corporate networks and accessing corporate data, a report released today by Rapid 7 said.

While the general consensus says that BYOD policies increase productivity, corporate IT teams are doing a poor job managing them, according to the report. Worse yet, since many of the devices in use belong to the employees, the burden of responsibility for updating firmware, operating systems, and applications rests squarely on the shoulders of the employees, who must wait for their carriers before they can implement updates.

Part of the problem seems to be a lack of awareness. Rapid 7 conducted a survey of more than 500 organizations. Some 64 percent allowed employees to use personally owned mobile devices at work. Among that 64 percent, nearly half did not know how many devices the average employee was using to access corporate data.

Beyond that, 62 percent of respondents said their organization was actively managing security on employee-owned devices connecting to their corporate networks. Just 17 percent have an awareness of the number of vulnerabilities present on each device, only 38 percent of respondents knew how many devices were password locked, and as many as 72 percent of devices may not be up-to-date with the latest respective operating systems version.

The vulnerability management company suggests organizations implement policies forcing users to password lock – with a more than four-character pin – devices accessing corporate data, maintain the ability to remotely wipe lost and stolen devices, educate users about risks, and encourage users to implement updates as early and often as possible.

Categories: Mobile Security

Comments (4)

  1. Alan Lucaz
    1

    Brian, great post. Check out this video that deals with addressing security holes in BYOD policy:https://www.youtube.com/watch?v=ITP-02z02tI. It works off of similar research on the subject and goes into more ways in which organizations can proactively shape their policies to deal with potential threats.

  2. joe
    2

    Managing devices is the wrong approach. Trying to manage devices is a waste of time and money that is better spent on securing access to your data.

  3. Bill E. Ghote
    3

    With regards to the comment that managing devices is not the right approach, I would add – securing the container for data (whether that be at the device level or more granular), is one step towards securing access to data. Not sufficient unto itself, but a part of the solution. So, I disagree that it is completely wrong – but would agree that in and of itself, inadequate to achieve the overarching goal of securing access to data.

  4. Bob
    4

    I am so sick of people getting paid to write “Gee I’m standing in the rain and I’m getting wet.” articles. Get used to the idea that you can’t secure it. That is the risk trade-off that is being made. Grow up and accept it or put a stop to mobility.

Comments are closed.