50% of US Businesses Have No Formal BYOD Policy

Uploaded on 2015-11-17 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Years after the widespread adoption of workplace smartphones, more than half of US companies said they have no formal BYOD (bring your own device) policy to safeguard their enterprises, according to a survey.        

The survey of 447 businesses of all sizes was conducted over the summer by systems integrator Champion Solutions Group. It found that 53% of those businesses haven't implemented a formal BYOD policy, while more than one-fourth confessed they have no systematic security approach, much less a formal policy.

The survey findings are "ridiculous … surprising," said Champion CEO Chris Pyle, in an interview. Mobile security and best practices have been promulgated by analysts and security firms for more than a decade to protect sensitive corporate data, but there is apparently widespread variation about how companies implement security for BYOD workers.
"The evidence is indisputable that a growing need exists for more stringent application of security policies and procedures in modern businesses," Champion wrote in an 18-page white paper describing the survey's findings.

The value of allowing workers to use their personal smartphones and tablets while at work is now well understood by companies, and has been tied to greater productivity because workers find and use applications and services for their phones that they personalize to become more efficient. But Pyle said there can be a downside. "You need to have workplace freedom, but you need to have a framework as well," he said.

In addition to the lack of formal BYOD policies, the survey found that only 21% of businesses are using multifactor authentication (MFA) to verify a user's identity when granting access to critical enterprise applications and data. MFA covers a wide category of techniques to require two or more methods of authentication from independent categories of credentials when a person logs in from a device.
MFA techniques deployed by US businesses rarely include biometric authentication, where a fingerprint or iris scan is used to support a user name and password to authenticate a user's access to corporate data, Pyle said. Sometimes, instead, a unique code, or token, is sent to a smartphone for each entry into a company's applications or other data.

More often, companies rely on enterprise rights management software to grant a group of users — such as sales managers — access to a certain set of data from their phones — such as sales in a certain district. But that approach doesn't guarantee that every instance of access is from the authorized user. It could be from someone else who may have stolen a phone or used it temporarily, unbeknownst to the owner.
"Right now, there's some confusion and trepidation in the market about MFA," said Jason Milgram, director of software development for Champion. "None of our customers are incorporating biometric authorization into their security plan, even though they will eventually. Many are focused on enterprise content rights management and all of them are working out their strategy. When we bring up the subject of biometrics, people know about it and ask us, 'Can you show us or tell us.' "
While newer iPhones and many Android phones, like Samsung Galaxy smartphones, use fingerprint scanners for a user to access the phone itself, companies are only just beginning to consider using the fingerprint scanner to access enterprise apps or data, Milgram said. Some companies are relying on partitioning of personal from work data within the operating system of some newer phones, but even that approach may not be secure enough, depending on the level of risk that a company can tolerate.

Champion has 2,300 business customers, primarily in health care, distribution and finance. It operates a business unit called MessageOps that helps companies deploy Microsoft Cloud Services, including Office 365, Enterprise Mobility and Azure services. Champion also works as a system integrator to help companies deploy other enterprise mobility management products such as VMware's AirWatch and IBM's Maas360.

The low adoption of MFA for mobile security noted in the survey doesn't surprise Pyle. "There's a lot of good talk by companies about what's coming and what's going to be available, but people aren't implementing what's available today, let alone what's coming tomorrow," he said.
As an example, the survey noted that 23% of companies don't lock out mobile access after a repeated number of sign-in failures. "That's a large percentage, too large," Milgram said. "Someone could launch a brute force attack if nothing is turned off."

The survey also found that 30% of companies don't even require alphanumeric passwords (those using both the alphabet and numbers). "That's a pretty basic precaution," Pyle added.
Champion plans to repeat the survey next year and expects to see a greater focus on security, he said.

Computerworld

« Cyber War Games: ‘Too Little Too Late’
'Jihadi John' Strike: US Says 'We Got Him' »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Panzura

Panzura

Panzura optimizes enterprise data storage management and distribution in the cloud, making cloud storage simple and secure.

ShmooCon

ShmooCon

ShmooCon is an annual east coast hacker convention offering three days of demonstrations and discussions of critical infosec issues.

ObjectSecurity

ObjectSecurity

ObjectSecurity is a leader in authorization policy automation. With OpenPMF, you can manage application security policies for access control and auditing.

Global Security Network (GSN)

Global Security Network (GSN)

GSN focuses on specialized IT Security solutions & services for the military, law enforcement, critical infrastructure and oil & gas sectors in the Middle East.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER) - USA

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

H3C Group

H3C Group

H3C provides a full range of Computer, Storage, Networking and Security solutions.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

Protergo Cyber Security

Protergo Cyber Security

Protergo Cyber Security is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

New Enterprise Associates (NEA)

New Enterprise Associates (NEA)

As one of the world’s largest and most active venture capital firms, NEA has developed deep domain expertise and insight into our industries of focus - technology and healthcare.

LinkShadow

LinkShadow

LinkShadow is a next-generation cybersecurity solution that provides unparalleled detection of even the most sophisticated threats.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

vCISO Services

vCISO Services

vCISO Services is a small, specialized, veteran-owned firm focused on the needs of SMBs only.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

e-Safer

e-Safer

e-Safer's mission is to provide solutions and services that ensure a safer digital environment.

Tototheo Global

Tototheo Global

Tototheo Global harness the power of connectivity and technology to bridge technological divides, driving progress, security, and sustainability for a seamlessly connected world.