BYOD Brings IT Security Headaches

Organizations are being challenged to manage the BYOD (bring your own device, which most reports refer to as “consumerization”) trend as more employees use powerful and affordable personal mobile devices. More than half of information technology leaders in the US believe that BYOD poses a greater risk to the enterprise than mobile devices supplied by the company, according to a new member survey by the Information Systems Audit and Control Association (ISACA). Yet 27 percent still believe that the benefits outweigh the risks.

The 2011 ISACA IT Risk/Reward Barometer found that 58 percent of US information security and IT audit professionals view mobile devices owned by employees as posing the greatest risk, compared to 33 percent who chose among work-supplied smart phones, laptops/netbooks, tablet computers, broadband cards or flash drives. Why does BYOD get a bad rap? When asked, what the riskiest behavior you are aware of an employee doing with a mobile device that has access to the corporate network, 44% of respondents said, “store company data in an unsecured manner.” Not knowing how to handle the risk, or not being able to pay for someone to handle it, is also a challenge. Thirty-seven percent of respondents said budget limits are the greatest hurdle.

On the plus side, BYOD allows organizations and employees to use technology at a limited cost. But as the old saying goes, “there’s no such thing as a free lunch.” Because most organizations aren’t effectively managing BYOD in relation to information access, the access is accompanied by vulnerability. To counter this, organizations need to create and implement a full-scale mobile device policy that corresponds to their risk profile.

Embracing the cloud

This year’s Barometer shows that the number of enterprises not using use cloud computing for any IT services has decreased by 5 points to 21 percent, and those that plan to use it for mission-critical IT services has increased 4 points to 14 percent.

Robert Stroud, CGEIT, international vice president of ISACA and service management, cloud computing and governance evangelist at CA Technologies, says the risk is unavoidable– stifling use of the cloud will stifle business.

Increase in information security and risk jobs

The data, collected in March 2011, shows that 40 percent of respondents expect information security staffing requirements to increase over the next year. Thirty-four percent expect their risk management staffing requirements to rise.

This year’s Barometer indicates that IT risk management is becoming more strategic. Its integration into enterprise risk management is up slightly over last year. Compliance (26 percent) and avoiding negative incidents (22 percent) are still primary drivers, but a close third now is aligning functionality with business needs (18 percent).

The study polled 2,765 IT leaders globally, including 712 respondents from the US. The full results are available here.