IT and Employees See BYOD Security (Much) Differently
IT organizations continue to struggle with the details when it comes to enabling BYOD for applications beyond email, and a new study finds that while employees are eager to access corporate resources from their mobile devices, they have little tolerance for controls IT wants to impose.
Tue, November 20, 2012
CIO — Bring-your-own-device (BYOD) is top of mind for most CIOs and IT leaders these days, but only a fraction of the IT organizations that have opened the BYOD door have gone beyond allowing access to company email and instant messaging, according to a recent study by Blue Coat, Web security and WAN optimization company. Blue Coat also found that IT staff and other company employees have dramatically different perspectives on security when it comes to mobile devices.
In its November 2012 Blue Coat Mobility Study, the company surveyed 350 respondents and found that most organizations allow employees access to company email (83 percent) and instant messaging (56 percent) on personal devices, but only a fraction open up ERP (31 percent), sales force automation (24 percent) and supply chain management (19 percent) applications to mobile devices that aren't corporate-owned.
"Organizations are trying to figure out how to safely deploy apps beyond email, but right now it's mostly just email," says Timothy Chiu, director of product marketing at Blue Coat.
IT Doesn't Recognize How Pervasive BYOD Is
Organizations are clearly uncertain about mobile malware and employee acceptance of the IT organization placing security controls on employees' personally owned devices, Chiu says, but that also means those organizations are not fully realizing the business productivity potential of mobility. Those IT organizations also don't fully recognize how pervasive BYOD has become among company employees, he says.
Blue Coat found that, on average, IT staffers believe that 37 percent of employees access corporate resources from their own devices. But 71 percent of employees report they do so. Employees are also much more cavalier about the security risks associated with their devices. Blue Coat found that 88 percent of employees believe their device is very or somewhat secure. Meanwhile, a whopping 77 percent of IT managers see the risk of malware spreading to the corporate network from mobile devices as moderate to very high.
Mobile Malware a Minor Threat, But Phishing Isn't
Chiu concedes that while malware is a growing threat in the mobile sphere (particularly with Android devices), mobile malware is still a relatively minor threat. However, mobile devices often make their users more vulnerable to phishing attacks.
"Phishing on a mobile device is almost impossible to pick up," he says. "Mobile phones are much worse than desktops at protecting you from phishing."
For instance, in a normal browser an observant user can spot a fraudulent link when hovering the mouse over a URL. But with a mobile device you typically have to actually touch a link before the mobile browser displays the URL. In addition, mobile browsers tend to autohide the address bar when you go to a site so as to maximize screen real estate. If you've been lured to a fake banking page, it's unlikely you'll spot the phony URL if you're on a mobile device.