Are the Advantages of BYOD Worth the Security Risks?

Check Point Software recently released their Third Annual Mobile Security Survey, highlighting the impact of mobile devices on IT security. They surveyed more than 700 IT and security professionals in the U.S., Canada, Germany, the U.K., Australia, and New Zealand, and the respondents were spread fairly evenly across the spectrum of business sizes, with the largest segment (29%) coming from businesses with between 100 and 1,000 employees.

Here are some of their key findings (quoted from the site linked above):

• The Greatest Threat Resides Within Your Organization – 87 percent of surveyed professionals believed that the greater security threat to mobile devices were careless employees. Nearly two-thirds of the respondents believed that recent high-profile breaches of customer data were likely due to employee carelessness.
• Proliferate Use of Personal Mobile Devices on the Corporate Network – Despite careless employees as the weakest link into businesses, 91% of IT professionals saw an increase in the number of personal mobile devices connecting to their networks over the past two years. In 2014, 56% of those surveyed managed business data on employee-owned devices, up from 37% in 2013.
• Mobile Security Incidents Expected to Rise – 2015 is shaping up to be a risky year, according to those surveyed. Of the security professionals surveyed this year, 82% expect the number of security incidents to grow in 2015. Additionally, nearly all of the respondents (98%) expressed their concern about the impact of a mobile security incident, with the greatest concern being the potential for lost and stolen information.
• Cost of Mobile Security Incidents Continue to Rise – 2014 saw an increase in remediation costs for mobile security incidents. Of the IT executives surveyed, 42% noted that mobile security incidents cost their organizations more than $250,000.

Consider some additional trend data:

• Computerworld predicts that BYOD smartphones will continue to grow at roughly a 30% CAGR through 2017 – from only 88 million two years ago to 328 million in 2017.
• Rapid7 quotes a Cisco prediction that by 2016 there will be 1.62 billion mobile devices (of all kinds) in the workplace. They also state that more than 80% of the mobile devices in the workplace today are employee-owned.
• Over a year ago (back in May, 2013), Gartner predicted, based on a global survey of CIOs, that, by 2017, more than half of companies will require their employees to supply their own mobile devices.

So let’s recap: 98% of the Check Point respondents were concerned about the impact of mobile security incidents on their businesses, 42% said that such incidents had already cost their businesses more than a quarter of a million dollars, 82% expect the number of security incidents to grow in 2015. Yet nearly all have seen an increase in the number of personal mobile devices connecting to their networks over the past two years, and, by all indications, the BYOD trend will continue and, if anything accelerate. Which brings up two obvious questions: (1) If BYOD is such a security risk, why are businesses overwhelmingly moving in that direction? And (2) What can a business do to leverage the benefits of BYOD while still limiting the exposure to security risks? Let’s look at these two questions…

Why BYOD?

• It reduces the business’ capital outlay for mobile devices. Even in cases where businesses give their employees a cash allowance to purchase the mobile device of their choice, the company generally saves money in the long run by not being responsible for the maintenance and repair of an employee-owned device.
• Employees are more productive when working on their preferred device. Someone who has been using an iPhone for years isn’t going to be happy about being handed a company-owned BlackBerry device. A Mac user isn’t going to want to deal with a company-owned Windows laptop – and vice versa. Younger workers in particular, who have grown up with technology, want to use what they’re accustomed to using, and will be more productive if allowed to do that.
• Employees who use mobile devices for both work and personal matters tend to put in more hours per year – some surveys suggest as many as 240 more hours per year – than those who do not.
• Given the above, business who do not implement BYOD may find themselves at a competitive disadvantage.

How to Do BYOD Safely
First of all, more and more organizations are implementing some form of mobile device management (MDM). According to the Check Point survey, 56% of organizations were managing the business data that exists on personal devices, up from 37% in 2013. There are numerous MDM products on the market, but I would suggest that managing the mobile device itself is only part of the problem. A complete solution would also include mobile application management (MAM) – some mechanism to deploy secure applications to a mobile device…applications that would be “sandboxed” away from an employee’s personal applications, such that the data accessed by those applications would be isolated from the personal applications, and information could not be copy/pasted from a secure application into a personal application. It would also be nice if the organization could selectively wipe the secure applications and associated data from a mobile device while leaving the employee’s personal data and applications untouched. Citrix XenMobile Enterprise is such a solution, and the following 16 minute video does a great job of demonstrating the XenMobile Enterprise user experience:

And, of course, if your users need access to full-blown Windows applications, not just mobile apps, they can securely access those applications via Citrix XenApp or XenDesktop, as we’ve been doing for years.

Bottom line: BYOD is here to stay. Businesses are increasingly turning to BYOD because of its advantages, even though they recognize that it brings with it significant security risks. It is, however, possible to gain the advantages of BYOD without compromising the security of your company data, and ManageOps, by virtue of our longstanding partnership with Citrix, can help.