BYOD runs wild at most global companies

More than three quarters in survey said their organisations had not trained employees to understand the privacy risks of BYOD

More and more workers around the world are bringing their personal mobile devices to the office daily, and companies appear to be having trouble keeping up with the trend.

About 60 percent of organisations acknowledged they either don't have a policy that specifies how employees may use their own devices in the workplace (41 percent) or are just planning to write such a policy, a study released on Wednesday from Acronis and the Ponemon Institute has found.

"Even though we're still in the early stages of BYOD [Bring Your Own Device], companies are playing catch-up to where their users are," Anders Lofgren, director of Mobility Solutions for Acronis, told CSOonline.

Even as recently as three years ago, IT departments had an iron grip on the endpoints to their networks. "They could secure and provision a fixed device that was procured by the enterprise," said Ben Gibson, chief marketing officer for Aruba Networks.

Now IT has to deal with many devices being brought to work by employees. "Enterprises and IT organizations are in the process of catching up with this trend," Gibson said.

Slow adoption of BYOD policies by companies could be a sign of denial, said Steve Martino, vice president of information security and acting CISO of Cisco. "If a company doesn't have a BYOD policy, it's because they're trying to pretend this isn't happening in their organization," he saidÃ'Â in an interview. "They think that if they don't have a policy, BYOD isn't happening in their organization."

Of the companies with BYOD policies, almost three quarters of them imposed highly restrictive policies on their workers by either requiring personal devices to be approved by the company before being allowed to access the firm's networks (43 percent) or banning personal devices from company nets (31 percent).

Those numbers could be misleading because there are industries where launching BYOD programmess is severely limited, such as banking, pharmaceuticals, health care and defense. "But those barriers are breaking down," Acronis'sÃ'Â Lofgren said.

[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]

While it may be necessary to restrict BYOD in some industries dealing with highly sensitive data, it isn't necessary for most rank-and-file office workers, said Cisco's Martino.

"For the basic white collar productivity worker, companies can see real benefits from a BYOD program," Martino said. "By forbidding BYOD, you encourage people to work around the policy."

"Then, because you have controls that say you can't use it, you think you're protecting your data," he said. "When actually you're limiting your effectiveness to identify and control security incidents when they happen."

"Forbidding BYOD is more trouble than having a controlled policy to adopt it," Martino said.

Cross-country attitudes could also be affecting a company's ability launch full bore BYOD programs. "Some countries have strict cultural policies about whether you can bring a personal device to work or not," Aruba's Gibson said.

Nevertheless, it will be increasingly difficult for any organization anywhere in the world to ignore BYOD. "I believe all industries will be moving toward BYOD because the consumerization of IT trend is one that will become prevalent," Gibson maintained.

Nearly three-quarters of the companies with BYOD policies (73 percent) told surveyors that they applied their BYOD policies equally to everyone, although about a quarter of the businesses said they made exceptions to their policies for executives and privileged users.

Of the more than 4,300 IT practitioners participating in the survey, more than three quarters (77 percent) said their organizations had not trained their employees to understand BYOD privacy risks.

"What might happen is an employee may try to access their files with their smartphone or tablet and use unauthorized methods to do that," Lofgren said.

"That will expose some of these organisations to risk, whether they know it or not," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsPonemon InstitutesoftwareData Protection | WirelessIT managementdata protectionconsumerization of ITBYODAcronissecuritydata privacymobile securityAruba networks

More about Acronis ANZAruba Wireless NetworksAruba Wireless NetworksCisco

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place