Are your employees on a BYOD binge?

Organizations know that employees’ personal mobile devices are sometimes getting onto their networks, but the extent of the problem could be worse than they thought.

A new study by the SANS Institute found that only 9 percent of organizations surveyed were “fully aware” of the devices accessing their networks, and only 50 percent were “vaguely or fairly” aware.

Meanwhile, organizations are scrambling to manage the risk, pursuing everything from user education and mobile device management to Network Access Control and monitoring, SANS said in announcing the study.

The full report, SANS’ First Annual Survey on Mobility Security, produced with Bradford Networks, Hewlett-Packard and MobileIron, will be released April 12 during a webcast.

A panel at the FOSE tradeshow focused on the risks surrounding the use of personal mobile devices for work. Companies and government agencies are struggling with policies that balance security of systems, efficiency, and privacy rights.

General Dynamics for one is developing a possible that may include employees signing waivers for the company to take control of smartphones or perhaps placing a secure app on the phone that has to used to gain access to company systems, said Woody Hall, a senior vice president for operations in the health and civilian solutions division of General Dyanmics IT.

Among other results of the SANS suvrey of 500 IT professionals found that fewer than 20 percent of organizations are using endpoint security tools, although the organizations using them are using agent-based, rather than agentless, tools.

"More than 60 percent of organizations today allow staff to bring their own devices," SANS Senior Instructor and survey author Kevin Johnson, said in the announcement. "With this type of permissiveness, policies and controls are even more important to help secure our environments."

The challenge of managing and securing personal devices has been building for some time. A SANS report released in November 2011, “Your Pad or Mine? Enabling Secure Personal and Mobile Device Use On Your Network,” cited Gartner statistics showing that enterprises are aware of only 80 percent of all the devices on their networks.

The unknown 20 percent, often mobile devices including smart phones, tablets, notebooks and even gaming consoles, are unsecured, possibly jailbroken, and are threats to introduce malware to network resources they access, the report said.

Gartner predicted that, as a result of unsecured mobile devices, 80 percent of organizations that have "bring your own device" policies would see a 100 percent increase in botnet infections by 2013.

The report said standardizing or controlling mobile platforms, and using security measures such as Network Access Control, would be critical to preventing compromises.

Government agencies have been developing BYOD policies, in part out of recognition that many people are tied to their smart phones and tablets and are inevitably going to use them in their work. The White House is developing a federal BYOD policy.

But panel members in a session at this week’s FOSE conference warned that the practice could be outstripping policy efforts, Federal Computer Week reported.

The federal government, like other organizations, is adopting BYOD practices out of necessity, said Rob Burton, partner at the Venable LLP law firm. “But this train may be moving too fast,” he said.

Personal devices present a risk to internal networks for a variety of reasons, including the possibility that they could inadvertently introduce malware into systems, create nodes on networks that administrators are unaware of, and expose internal information if the devices are lost or stolen.

Another element of uncertainty is whether agencies have a right to the information on an employee’s phone or other mobile device if it is personally owned.

At FOSE, Burton discussed a recent Supreme Court decision holding that a municipality could download personal information from a city-owned phone issued to a police officer under investigation, FCW reported. Had that phone been personal property, the right to privacy might have changed the ruling, Burton said.

He also noted the potential threat of foreign agents capitalizing on BYOD policies to infiltrate networks.

“We think the cyber issues for BYOD are a huge legal area and will be very tough and challenging for corporations and government agencies,” Burton said.

 

Reader Comments

Mon, Apr 23, 2012 johnhenderson522

It is really amazing the way that BYOD seems to be relevant to everyone these days. At the hospital I work at, we have the burden of meeting HIPAA requirements, particularly since many doctors send and receive patient info via text messaging on thier BYOD phones. This opens the hospital to HIPAA related lawsuit if the doctor loses their phone or it is hacked. If we are inflexable, then the doctors will not be able to handle as many patients, since texting patient info speeds things up. In order to deal with the issue, we got the doctors to use Tigertext, which deletes the text messages after a period of time, making it HIPAA compliant. I don't know if this is the best solution for everyone, but it was an easy and cost effective way to deal with this issue. It was added to the IT departments responsbilities, but once the departments business objectives where redefined on this issue, they were able to handle it better. The BYOD issues that IT departments are dealing with are only going to become more complex in the future and your article raised some important points. I also found this article on BYOD that adds to your article with some additional charts and findings: http://byod.us/bring-your-own-device-importance-of-defining-business-objectives/ also: http://www.tigertext.com

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close
SEARCH
contracts DB

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Read More

  • Is SBA MIA on contractor fraud? Nick Wakeman

    Editor Nick Wakeman explores the puzzle of why SBA has been so silent on the latest contractor fraud scandal when it has been so quick to act in other cases. Read More

Webcasts

  • How Do You Support the Project Lifecycle?

    How do best-in-class project-based companies create and actively mature successful organizations? They find the right mix of people, processes and tools that enable them to effectively manage the project lifecycle. REGISTER for this webinar to hear how properly managing the cycle of capture, bid, accounting, execution, IPM and analysis will allow you to better manage your programs to stay on scope, schedule and budget. Learn More!

  • Sequestration, LPTA and the Top 100

    Join Washington Technology’s Editor-in-Chief Nick Wakeman as he analyzes the annual Top 100 list and reveals critical insights into how market trends have impacted its composition. You'll learn what movements of individual companies means and how the market overall is being impacted by the current budget environment, how the Top 100 rankings reflect the major trends in the market today and how the biggest companies in the market are adapting to today’s competitive environment. Learn More!