Employees and Companies Not Taking BYOD Security Seriously

Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than 1.8 billion units.

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure.  Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

In an effort to compare how BYOD security has changed in the past year, Coalfire recently conducted an informal survey of approximately 400 users (no IT or IT security professionals were included). We asked these consumers what devices they used, how they used them, how they were secured and how comfortable they are with their devices’ technology.

In our survey, we asked users about smartphones, laptops and tablets and found that usage of all mobile devices is firmly on the rise. Our respondents are consumers who are tech-savvy, with 63 percent confirming they are comfortable with their computer expertise.

Smartphone usage has exploded over the past year. In 2012, only 47 percent of our respondents used smartphones, but today, 57 percent of respondents own a smartphone and a clear majority of 86 percent use their smartphone for work. In 2012, 20 percent of respondents were using tablets, compared to 36 percent in 2013. In the past year, tablet usage has nearly doubled, and over the next 12 months that number will continue to grow. The majority of respondents, over 80 percent for all three devices, do not have separate devices for personal use and work.

In our survey, 95 percent of respondents reported using their smartphones for personal email use, while the second most reported use was social networking – the same approximate result as 2012. Laptops are also used heavily for personal use, and yet 20 percent of 2013 respondents are using company-owned laptops, which should be of concern to the IT department.

The results of our survey are clear: employees do not want to carry separate mobile devices for company use and want immediate access to personal email and social networking sites 24/7. This can create problems for organizations that must protect company data.

Employees are often a company’s biggest security threat and it all begins with the mobile-device password. Only 53 percent of our respondents have a password on their mobile phones. This is slightly better than 2012 results which revealed 47 percent of smartphone users had a password, but clearly more consumers need to be vigilant in the event of a lost or stolen phone.

People have gotten the message about securing their laptops, with 79 percent of respondents now using passwords. Since smartphones and tablets can perform nearly all of the tasks of a laptop, the same vigilance should be in place for these devices.

But how strong are these passwords? A strong password is one that uses at least eight characters that are case-sensitive, including letters, numbers and symbols. The good news is that 60 percent of the respondents using passwords on their smartphones are using strong passwords. Only 37 percent of the respondents work for companies that have the ability to wipe the smartphone or tablet if it is locked or lost.

The technology built into smartphones also directly influences how stringent passwords tend to be. Passcodes are used to get into the mobile device, where passwords are used to get into specific programs such as email. The iOS platform has a default passcode option of four numbers (a pin number) to secure the phone. However, iOS users can go into settings to create a stronger passcode but many general users are not aware of this option. Android smartphone users can use a swipe pattern or a “connect the dots” exercise as their passcode. Users should choose a complex swipe pattern and keep their phones clean at all times so fingerprints on the swipe pattern are not obvious.

There is some good news, only 30 percent of respondents in 2013 reported re-using the same password. This is an improvement from last year, when 36 percent reported this behavior. Approximately half of respondents are still not using a smartphone password. More people are also writing down their password on a piece of paper — a whopping 62 percent, up 2 percent from 2012.

The results of this survey are not surprising. While a greater number of employees are using passwords on their smartphones, more than half of the respondents still write down their passwords on pieces of paper.   It should be noted that this behavior is not nearly as impactful when used with a smartphone.  Typically, if a smartphone or tablet ‘goes missing,’ it will not be accompanied by any scraps of paper due to the form factor of the device.

As the BYOD trend continues to grow, technology companies such as Apple have developed new features for their devices to protect corporate data. The i0S 7 incorporates automated third-party application data protection. This means that if employees are using third-party apps, the data is encrypted and therefore presumably more secure. Biometric devices for smart devices have also been developed — things like pads that unlock the phone with a fingerprint.  Apple has come out with the iPhone 5S that has a fingerprint sensor called the Touch ID to replace the need for a passcode.  The adoption of biometrics in an astoundingly popular consumer-level device is a good sign for the future of authentication mechanisms.

Some final thoughts:

Employees are still not protecting their data. While we have seen some improvement in education and password protection over last year’s results, consumers need to understand that they need strong passwords on all mobile devices. If lost or stolen, personal information and company information is at risk.

Companies are getting slightly better at protecting company data.  Compared to 49 percent last year, now just 47 percent of respondents stated their IT departments have NOT discussed mobile/cyber security awareness with them. Additionally, the number of companies with the ability to wipe data from mobile devices has increased. Only 33.8 percent of respondents stated that their companies do NOT have the ability to remotely wipe data from mobile devices if they are locked or lost, whereas 51 percent of companies did not have that ability last year. However, 44 percent reported that their company still does NOT have a mobile device usage policy (compared with only 37.3 percent from last year). Clearly, companies need to implement mobile device usage policies and invest in training their employees about the hazards of losing personal and company data.


No related content found.

About the Author

Mike Weber

About the Author
Mike Weber is responsible for the oversight of Coalfire Labs operations, including penetration testing, application security assessments and compliance validation, digital forensics services and incident response services. He has over 15 years of experience in senior security positions in various technical fields. His wide range of experience includes enterprise security planning and policy development, network engineering, vulnerability assessment, risk assessment, penetration testing, system administration and programming.

He is an expert in the development and management of information security programs tailored to highly regulated industries such as government, healthcare, banking, and utilities.

Mr. Weber also has expertise assessing and evaluating physical security control design and procedures. He has led assessments of IT and physical security programs in federal, state, and local government agencies as well as the commercial sector. He has also implemented and managed information security programs for organizations nationwide.

Contributing Author

Chris Lietz