New data shows that companies are increasingly exposed to security risks due to a variety of consumer-grade technology brought in by the employees.
I just returned from a tour in the Nordic countries where I presented to the local press the results of the latest BYOD survey* conducted by YouGov on behalf of Trend Micro. The data collected from 3,012 interviews across Norway, Sweden, and Denmark highlights many details of this controversial IT Trend. Most importantly, the research confirms an undeniable truth: Companies around the world are exposed to increasing security risks due to a variety of consumer-grade technology brought into the enterprise by the employees and inevitably used for work-related activities.
Consumerization and BYOD have become mainstream in the Nordics. The majority (56%) of the respondents admit using one or more personal devices for work related activities. Laptops are the single most common personal devices that are also used for work (42%) in addition to newer form factors such as smartphones (33%) and tablets (11%).
Consistently, most employers (56%) have embraced consumerization and BYOD and, in fact, allow their employees to use their own personal computer (44%), smartphones (36%), and tablets (15%) for work related activities. However, while many users (66%) seem to follow diligently corporate policies, almost one third (29%) admit to bypassing corporate permissions — this alone exposes companies to unacceptable security risks. This also confirms that corporate IT is losing control and that BYOD and Consumerization are happening whether companies like it or not.
Security of those personal devices accessing corporate networks and data is definitely a top concern. In fact, a good number of respondents (63%) are aware of the risks and have security software in some of their personal devices. However, despite the exponentially growing number of malware detected on newer mobile platforms – Android in particular – only a tiny fraction of these users have security software installed in their smartphones (16%) and even fewer on their tablets (7%).
Transparency and full disclosure are key for the success of any corporate BYOD programs. However, only a fraction of the users (8%) have been informed by their employers that their personal files and their privacy may be compromised as a result of connecting their personal devices to corporate networks.
To make the matter worse, the majority of the users (54%) admit sharing – rightly – their personal devices with others. Personal computers are the most likely to be used also by family and friends (40%) followed by smartphones (20%) and tablets (10%). This is a major concern as corporate data may be exposed to 3rd parties who may not be aware of corporate BYOD policies. In addition, remote lock & wipe initiated by the employer may affect 3rd party personal files further exposing the company to liability and litigation.
And the influx of consumer-grade technology in the enterprise is not limited to mobile devices. While the majority of the users (79%) seem to limit their use of personal devices to accessing corporate email and calendar, a concerning 19% admit to rely on consumer-grade cloud services to store potentially sensitive corporate data. This is often in contrast with corporate policy (21%) and cause for great security concerns.
And for the most conservative IT managers among you, who believe that the corporate-liable device is still the way to go – sometime referred as Choose Your Own Device, here is a final interesting finding: Even when the device is owned by the company, and therefore bound to a traditional Acceptable Use Policy, half of the users (49%) admit using it for personal purposes such as access to social media websites and to download potentially malicious applications and games.
To recap: over and over again, data shows that BYOD is like a huge iceberg on a collision path with the slow-moving corporate IT ship. From a distance, we all see the tip of this iceberg: those personal mobile devices brought in by the employees. However, most IT professionals fail to realize the full destructive potential of its underwater volume: that 90% or so of those personally owned devices that have no security software, that are likely shared with friends and family and that the employees are going to proudly use with or without company’s approval.
P.S. In case you are wondering: the metaphor of the iceberg occurred to me when I first walked out of my hotel in Oslo to meet the press. High temperature that day was -20°C (-4°F)!
Is your business heading towards a BYOD iceberg? How would the employees in your organization respond to the types of questions asked in this survey?
* Survey results are available upon request.