50% of US Businesses Have No Formal BYOD Policy

Years after the widespread adoption of workplace smartphones, more than half of US companies said they have no formal BYOD (bring your own device) policy to safeguard their enterprises, according to a survey.        

The survey of 447 businesses of all sizes was conducted over the summer by systems integrator Champion Solutions Group. It found that 53% of those businesses haven't implemented a formal BYOD policy, while more than one-fourth confessed they have no systematic security approach, much less a formal policy.

The survey findings are "ridiculous … surprising," said Champion CEO Chris Pyle, in an interview. Mobile security and best practices have been promulgated by analysts and security firms for more than a decade to protect sensitive corporate data, but there is apparently widespread variation about how companies implement security for BYOD workers.
"The evidence is indisputable that a growing need exists for more stringent application of security policies and procedures in modern businesses," Champion wrote in an 18-page white paper describing the survey's findings.

The value of allowing workers to use their personal smartphones and tablets while at work is now well understood by companies, and has been tied to greater productivity because workers find and use applications and services for their phones that they personalize to become more efficient. But Pyle said there can be a downside. "You need to have workplace freedom, but you need to have a framework as well," he said.

In addition to the lack of formal BYOD policies, the survey found that only 21% of businesses are using multifactor authentication (MFA) to verify a user's identity when granting access to critical enterprise applications and data. MFA covers a wide category of techniques to require two or more methods of authentication from independent categories of credentials when a person logs in from a device.
MFA techniques deployed by US businesses rarely include biometric authentication, where a fingerprint or iris scan is used to support a user name and password to authenticate a user's access to corporate data, Pyle said. Sometimes, instead, a unique code, or token, is sent to a smartphone for each entry into a company's applications or other data.

More often, companies rely on enterprise rights management software to grant a group of users — such as sales managers — access to a certain set of data from their phones — such as sales in a certain district. But that approach doesn't guarantee that every instance of access is from the authorized user. It could be from someone else who may have stolen a phone or used it temporarily, unbeknownst to the owner.
"Right now, there's some confusion and trepidation in the market about MFA," said Jason Milgram, director of software development for Champion. "None of our customers are incorporating biometric authorization into their security plan, even though they will eventually. Many are focused on enterprise content rights management and all of them are working out their strategy. When we bring up the subject of biometrics, people know about it and ask us, 'Can you show us or tell us.' "
While newer iPhones and many Android phones, like Samsung Galaxy smartphones, use fingerprint scanners for a user to access the phone itself, companies are only just beginning to consider using the fingerprint scanner to access enterprise apps or data, Milgram said. Some companies are relying on partitioning of personal from work data within the operating system of some newer phones, but even that approach may not be secure enough, depending on the level of risk that a company can tolerate.

Champion has 2,300 business customers, primarily in health care, distribution and finance. It operates a business unit called MessageOps that helps companies deploy Microsoft Cloud Services, including Office 365, Enterprise Mobility and Azure services. Champion also works as a system integrator to help companies deploy other enterprise mobility management products such as VMware's AirWatch and IBM's Maas360.

The low adoption of MFA for mobile security noted in the survey doesn't surprise Pyle. "There's a lot of good talk by companies about what's coming and what's going to be available, but people aren't implementing what's available today, let alone what's coming tomorrow," he said.
As an example, the survey noted that 23% of companies don't lock out mobile access after a repeated number of sign-in failures. "That's a large percentage, too large," Milgram said. "Someone could launch a brute force attack if nothing is turned off."

The survey also found that 30% of companies don't even require alphanumeric passwords (those using both the alphabet and numbers). "That's a pretty basic precaution," Pyle added.
Champion plans to repeat the survey next year and expects to see a greater focus on security, he said.

Computerworld

« Cyber War Games: ‘Too Little Too Late’
'Jihadi John' Strike: US Says 'We Got Him' »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Beame.io

Beame.io

Beame.io is an information security company that distributes open source authentication infrastructure based on encryption.

Digitronic Computersysteme

Digitronic Computersysteme

Digitronic focus on innovative software to protect your personal and sensitive corporate data.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Commonwealth Cybercrime Initiative (CCI)

Commonwealth Cybercrime Initiative (CCI)

The CCI unites 35 international organisations contributing to multidisciplinary programmes in Commonwealth countries. These organisations form the CCI Consortium.

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC)

C-MRiC collaborates on initiatives, ranging from national cyber security, enterprise security, information assurance, protection strategy, climate control to health and life sciences.

Sixgill

Sixgill

Sixgill, an IoT sensor platform company, builds the universal data service and smart process automation software allowing any organization to effectively govern its IoE assets.

Abion

Abion

At Abion (formerly BRANDIT), we empower your business by providing comprehensive brand protection and web security services.

Privacyware

Privacyware

Privacyware's ThreatSentry combines a state-of-the-art Web Application Firewall and port-level firewall with advanced behavioral filtering to block unwanted IIS traffic and web application threats.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Hexaware Technologies

Hexaware Technologies

Hexaware is an automation-led next-generation service provider delivering excellence in IT, BPO and Consulting services.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

QA Consultants

QA Consultants

QA Consultants is North America’s largest software quality engineering services firm, an award-winning onshore provider of software testing and quality assurance solutions.

Unisys

Unisys

Unisys is a global information technology company providing industry-focused solutions integrated with leading-edge security to clients in the government, financial services and commercial markets.

Positka FSI Pte Ltd

Positka FSI Pte Ltd

Positka, being a Splunk Singapore partner, provides Splunk & Phantom Services, Cybersecurity & Risk Management, Analytics & Big Data, Lean Process Optimization, and Managed Security Services.

Intelidata Techedge Pvt. Ltd.

Intelidata Techedge Pvt. Ltd.

Intelidata are a Global Cyber Security Consultancy and Services firm that helps companies drive growth by minimizing risk and maximizing potential.

SPYROS Information & Technology Consulting

SPYROS Information & Technology Consulting

SPYROS specializes in providing highly qualified professionals in Computer Network Operations, Signals Intelligence, Technical Training and Certifications, Network Administration and Security.