Bring Your Own Device is a big problem for IT data integrity, but one they could easily fix

The number of employees bringing their own devices (BYOD) to the workplace has grown exponentially in recent years; a full 80% of employed adults use some kind of personal device (smartphones, tablets, or PCs) for work-related functions. While a large proportion of this 80% is likely attributed to personal computers, the ushering in of the smartphone era is starting to shift this trend toward mobile devices.

In any given meeting, I regularly see several smartphones and a tablet or two sitting out on the table, with the user either checking email or viewing electronic copies of the meeting materials. But this era of hyper-connectivity and the move towards BYOD brings with it some nasty headaches for IT departments, according to a recent ESET report.

The report brings with it some startling, though not surprising, statistics about device security. Less than 10% of tablet owners and 25% of smartphone users have auto-locking enabled on their devices. Adding in all devices used for work-related purposes yields a security compliance of less than 50%. ZDNet also sees this trend as a huge problem, encouraging smartphone and tablet owners to at least enable a basic password unlock on their devices.

While the statistics and suggestions out of the ESET and ZDNet reports certainly have some alarming data, the finger-pointing is squarely in the wrong direction. Businesses love the trend towards BYOD. In the past, if an organization wanted (or needed) its employees to be more connected, they would have to foot the full bill to purchase devices and cellular plans for their employees.

The costs associated with doing business in this way is huge, leading many organizations to limit this practice to director level employees or above. Now, most organizations simply provide a $30-$50 credit towards employee smartphone contracts, and generally only provide that benefit to employees in management  or higher. That means that they get the benefit of non-management employees adopting smartphones and increasing productivity without having to pay for it on the back-end.

The second major flaw at least in ZDNet’s report is that they don’t point fingers at IT departments themselves for this utter lack of security. ZDNet focuses on employees who connect to Exchange networks, suggesting they should be ashamed of themselves for not setting a password on their devices that have access to valuable company information.

What they fail to report is that Exchange grants IT departments the ability to force users to implement security on their devices. I recently set up a connection to the Exchange server on my Android smartphone, and the connection required that I set at least a gesture-based unlock on my phone in order to connect. There’s no way around this either; if I remove the lock-screen gesture unlock in my device’s security settings, I lose connection to the Exchange network.

Though I agree that enterprise data integrity is a real issue facing IT departments today, the onus of data security compliance should be on these IT experts, whose primary purpose is to ensure network and data integrity. After all, corporations benefit when employees are constantly connected into work-related news and activities.


[via ESET, ZDNet; Image from The Australian]



  • Guest

    Anthony, while I enjoy your post, I must disagree with your summary. Information security is not the responsibility on “IT Experts”. In organizations (public and private), the role of information security is set on those that can make both financial and resource decisions, such as executive and management staff. This executive and management staff should be comprised of those individuals or groups that are designated as the “Information owner” or “system owners”. In most cases, the IT staff are not these personnel. IT personel are in charge of implementing the technology that are provided to them, and also monitoring systems. The IT security professional is in charge of evaluating system security and reporting vulnerabilities and/or recommending security controls. That is the largest misunderstanding with IT staff today regarding security and it is a shame that the fingers are pointed at them.

    • Then who in the organization IS responsible for data integrity? I know for damn sure our IT department is, which is why i’m required to password protect my devices if I’m going to connect to our exchange server.

      • Guest

        Not wanting to delve into this too deep; data integrity, confidentiality, and availability are all responsiblities of those staff that can make both financial and resource decisions (aka upper management, etc). The IT department may be the ones in your case that set the flag/switch/setting that cause you to have to set a password on your mobile device…. but if you have a properly run organization, the only reason that the IT department configured the security controls for your mobile device was because they were following a “policy” or “procedure” set forth, approved, and signed by business/information owners. In our organization, if an IT changed a control such as password length without senior management approval, they would be quickly written up or fired.

  • Johnathan Ritter

    Typical break downs are basically you have the “IT Department” that handles Information Technology. That in of itself is a very WIDE and BRANCHING word there. Typical people part of the IT Department are Support Techs, IT Techs (and their associating titles/responsibilities, and positions) Network Techs (and their associating titles/responsibilities, and positions). Typically within the “Network Tech” branch you will find your Data Security and Integrity Folks. These ladies and gentlemen handle your static, or mobile connection devices. To believe these folks are outside of the IT Department would be a security risk.

    • Guest

      That is absolutely true, my opinion here and I have seen it too, it is a shame that security is handled as far deep as IT Dept->Network Tech-> DS/IS folks. I feel it is a security hole, that security does not expand past the IT department. When implementing some of the new standards and guidelines, such as NIST, security goes past just logical controls. It encompases risk management, physical controls, training, etc. Thats why I feel the intention of these news standards is to bring security out of just the IT realm and move it up higher in the command structure.

Back to top ▴