SC Magazine's second survey this month, in association with Good Technology, reveals a healthy attitude to BYOD, reports Tim Baker.
In March, SC Magazine and Good Technology teamed up to ask CISOs what was driving their ‘bring your own device' (BYOD) strategy and what they felt was needed to secure the exponential rise of employee-owned kit on their organisations' networks.
The dominant findings from the poll illustrate clearly what industry leaders think is needed to secure the increasingly mobile workplace. Businesses are ready to reap the benefits of BYOD, and talk the talk in terms of security – 95 per cent of respondents declared security a ‘vital' or ‘important' part of any BYOD programme. But are they ready for the battle to stay protected?
Immediately evident was the pressure from above to finish the roll-out of BYOD as quickly as possible – 46 per cent of respondents felt lent on by C-level executives, and only two per cent said they were under no pressure from their colleagues. The motivations of senior staff are undoubtedly different to those of junior staff, but the clamour for BYOD is certain to only get louder.
The business-critical nature of security does seem to be getting through to executives, and this may relieve some of the undue haste. Nevertheless, CISOs must make employee-owned devices safe – there will be no excuses.
It doesn't take a global CEO with an MBA from Harvard to realise that people get more done if they can work on the move. Indeed, 64 per cent of those surveyed felt pressured to support mobile business applications on employee-owned devices, and 42 per cent said they have a strategy in place for developing apps in-house.
Andrew Yeomans, founding member of the Jericho Forum, states that applications are undoubtedly the backbone of any mobile workforce, but that security is often tacked on to new features and rushed in to ensure deadlines and budgets are met – a short-sighted model, he argues.
“When developing applications, we need security by design, not afterthought. This way costs less, and whole classes of potential vulnerabilities are eliminated,” he explains.
Almost all would accept that their corporate network has had much more invested in its security than the average smartphone. Reassuringly, most businesses take mobile application security seriously, with 80 per cent of respondents describing security as having at least equal importance with functionality when developing BYOD programmes. However, with many portable devices, especially at C-level, holding more sensitive information than desktop PCs, the remaining 20 per cent need to seriously debate whether valuing usability over security is ever a good idea.
Lost or stolen
The final issue taken up in the survey was the frequency with which employees misplace devices, with 26 per cent of respondents revealing that they replace smartphones at least monthly, and six per cent doing so daily. In a testament to the value of the information held on these devices, 65 per cent also said that they have had to wipe employees' handsets to protect sensitive data.
One key issue is that of employees failing to understand the value of the information stored on their mobile devices, with many of them not reporting a loss to IT. As such, innovative awareness programmes are becoming more commonplace, with many organisations investing in new techniques to inform their staff of information security policy, and in turn convincing them to obey it. Unfortunately, this is likely to be an arduous process, and until every employee is on board, technology must keep trying to plug the gap.
Alan Goode, managing director of Goode Intelligence, identifies this education trend as particularly noticeable in relation to employee-owned devices. “In situations where you have an enterprise issuing mobile devices to employees, there is usually the belief among users that these are business tools and that they need to take care of them. However, when you get employee-owned devices being used for enterprise purposes, there can be confusion and a behaviour that puts any company-owned information stored on these devices at risk. We need a combination of agile security controls and behavioural change to improve this situation and to minimise the risk,” Goode says.
Only the beginning
The survey offers overwhelming evidence that security professionals are identifying and adapting to the evolving requirements of BYOD as a business-critical element of enterprise IT architecture. However, there is still much to be done to secure the mobile workforce – the future will punish anyone taking their eye off the ball.