Security Experts:

BYOD Circumventing Enterprise Security Policies, Survey

According to the results of a study released today by Websense, the Bring-Your-Own-Device phenomenon is growing, and with the trend, employees are often circumventing corporate security policies. The results showed that seventy-seven percent of the 4,000 people interviewed said that mobile devices are mission critical when it comes to getting work done, but within that same group 76-percent believe that their mission critical devices place the organization at risk.

"IT has spent years working on desktop security and trying to prevent data loss over web and email channels—but mobile devices are radically changing the game," said Tom Clare, senior director of Product Marketing Management at Websense. "Tablets and iOS devices are replacing corporate laptops as employees bring-their-own-devices to work and access corporate information. These devices open the door to unprecedented loss of sensitive data. IT needs to be concerned about the data that mobile devices access and not the device itself."

Previously in a similar Ponemon Institute survey, IT respondents said 63 percent of breaches occurred as a result of mobile devices. With that in mind, here are some of today’s key findings.

- Fifty-nine percent of respondents report that employees circumvent or disengage security features, such as passwords and key locks, on corporate and personal mobile devices.

- Seventy-seven percent of respondents agree that the use of mobile devices in the workplace is important to achieving business objectives. A similar percentage (76 percent) believes that these tools put their organizations at risk. Only 39 percent have the necessary security controls to address the risk, and only 45 percent have enforceable policies.

- Sixty-five percent of respondents are most concerned with employees taking photos or videos in the workplace -- probably due to fears about the theft or exposure of confidential information. Other unacceptable uses include downloading and using internet apps (44 percent) and using personal email accounts (43 percent). Forty-two percent say that downloading confidential data onto devices (USB or Bluetooth) is not acceptable in their organizations.

"We asked thousands of IT security professionals and mobile devices were overwhelmingly important to business objectives," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

"However, mobile devices put organizations at risk—risks that they do not have the necessary security controls and enforceable policies to address. It's also clear that employees are deliberately disabling security controls, which is a serious concern."

The results of a separate survey released today by Trend Micro at Mobile World Congress 2012 in Barcelona, showed that 78 percent of companies permit employees to use their personal devices for work related activities. Disturbingly, the report showed that almost half of companies that permit BYOD reported having a data or security breach as a result of an employee owned device accessing the corporate network (46.7%). The survey also showed that virtually all companies surveyed apply an IT security policy to employee owned devices that access the company network (89.1%), and also require that devices either be on a preapproved list and/or preapproved with security software installed (53.7%).

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.