Varonis questioned almost 200 companies, 47% SMBs and 53% enterprise-class, about their BYOD experiences – and found that nearly 75% of employees are now allowed personal devices at and for work. This is despite 50% of the organizations admitting they had lost devices containing important data, and 22% admitting “that a lost device had created security implications.”
But BYOD is now an unstoppable force – driven by users’ obsession with their devices. “Of our respondents,” says the report, “a remarkable 86% could be considered device obsessed: 44% of our respondents are email-centric, another 20% considered themselves ‘border-line workaholic’, 15% brought their devices with them on vacations, and 7% could claim that their ‘work and home life are one’.”
BYOD users are aware of the security implications of using personal devices at work – but this is as much to do with their own security as the company’s security. “Our results,” states the report, “reveal that 50% knew of an incident in which a device was lost. Even more alarming, 22% reported that a lost or misplaced device created security implications for their company. This group of respondents is also aware of the privacy implications of losing their personal devices: 57% said that lost health information and other personal data would put them at risk.”
With such widespread use of BYOD, and such widespread understanding of the security risks, it would be reasonable to assume that stringent security controls would be in place. This isn’t so. While 74% of companies allow BYOD, only 41% have a formal policy – 33% of companies operate no formal policy but simply have a permissive attitude. Surprisingly this seems to make little difference to security. “The study found that implementing a BYOD policy seems to have a small, though arguably statistically insignificant, positive effect on security: 26% of those without a BYOD policy [against] 21% of those who have a BYOD policy in place.”
Where a policy is in place, the most popular security approach is password protection (57%) augmented by remote erasure (35%) and encryption (24%). “The most troubling aspect of this particular result,” says the report, “is that 13% told us that their company didn’t require device-level password protection. While this group may have had other security methods in place, it’s hard to overstate the importance of password protection.”
The overall feeling from this report is that companies simply aren’t keeping up with the staff use of personal devices. “Being connected to work around the clock appears to be accepted as the ‘new normal’,” said David Gibson, VP of strategy at Varonis. “While organizations are capturing the many benefits of BYOD – and the willingness of the workforce to embrace this style of working – companies must protect themselves. Only by limiting the potential damage,” he continued, “both to organizations and employees – can organizations make the most of a trend that will continue to leap forward, whether businesses allow it to or not.”