Recent Ponemon Institute Study Casts Doubt on the Effectiveness of BYOD Policies

I recently represented InZero Systems at a webinar co-hosted by Larry Ponemon, of the Ponemon Institute, and the security firm, Avecto. The webinar was entitled, Cyber Strategies for Endpoint Defense, and was largely based on the recent report of the same name. The study points out weaknesses in security that can stem from the introduction of BYOD (Bring Your Own Device) policies in a company or institution.

Ponemon pointed out that the “percentage of IT users with administrator access privilege is increasing, making endpoint defense more difficult. Primarily it is due to the increase in the use of mobile devices and cloud.” In fact, 65% of the 559 IT and IT security practitioners in the United States surveyed claimed that using mobile devices as endpoints has caused a sharp increase in the number of people granted administrative privileges in their firms. This has put increased pressure on IT staff. The survey found that, on average, 48% of an organization’s total time is spent on security issues dedicated to securing the endpoints. Even among those institutions that try to control access to administrative privileges, only 18% say that those controls are effective. In other words, access to administrative privileges by those using mobile devices as endpoints has emerged as the biggest security risk.

With such dire warnings, one would think that companies would opt for much more control over users who want to use their mobile devices to access the company or organization’s network. In fact, most IT departments would agree with this. They tend to believe that, when security is a priority, user experience should not be much of a concern. The study confirms this by finding that “only 9 percent of respondents say the end-user experience is an important factor when implementing an information security project.” However, such tight security often leads to negative results. Productivity may suffer and users may be more tempted to circumvent security policies to get their work done. Other studies have found that 77 percent of BYOD employees dislike the use of MDM (mobile device management). In other words, they want as much freedom as possible.

IT departments know they need to exert more control over employee behavior. However, according to the study, “the majority of respondents rate their organizations’ knowledge about user behavior, including software downloads, access to applications and databases as mostly zero to very low visibility.” This, therefore, highlights the BYOD dilemma. How can you let users have freedom while preserving the company’s safety? Even COPE (Corporate Owned Personally Enabled) policies must restrict some aspects of personal use…or do they?

To my knowledge, only one security firm has developed a system that allows users to do whatever they want on corporate owned tablets while, at the same, being able to access the corporate network on the same devices. The WorkPlay Tablet separates the work zone from the personal zone at the hardware level and, in this way, allows users to do whatever it is they wish on the personal side of their tablet without contaminating the network side. They can download apps, visit social networking sites, and even be lured into visiting infected websites without compromising company information. According to InZero Systems VP Product Development, Oleksii Surdu, the company is in the process of developing an MDM which is integrated into the firmware and will allow organizations to manage their connected devices in a completely new way.

As I stated in a past article on the inevitability of BYOD, companies tend to jump on bandwagons without finding out if they have qualified drivers. They want to feel as if they are on the cutting edge of current trends without taking the time to see if they are not putting their future at risk. The more unsecured endpoints simply means there are more potential access points into your network. This is especially true if these endpoints have administrative rights that can be used by cybercriminals to ransack your network for your most sensitive information. Ponemon’s conclusion is that “managing user privileges is essential to reducing the risks of APTs and other cyber attacks. It is critical that access to the corporate network and sensitive data is controlled.” With these warnings in mind, we can expect to see more companies shying away from BYOD and developing more control through COPE-related solutions. It seems the battle between company security and employee freedom will only intensify in the process and do nothing to solve the underlying problem.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s