The Information Security LinkedIn group released a new survey from its 200,000-member community on the state of bring-your-own-device (BYOD) and mobile security initiatives in their enterprises. We provide our take on some of the findings from this comprehensive survey‘s 1,100 responses.

To BYOD or Not?

According to the survey, over 60 percent of enterprises allow or tolerate employee use of personal devices to access enterprise data. Only a small minority of enterprises, 11 percent, have no plans to allow such usage. Enterprises that allow BYOD expect the primary benefits to be improved employee productivity and satisfaction and better overall security, and 58 percent expect related budgets to increase or stay flat.

Our Take: Device ownership is destined to become a nonissue, and IT organizations must adopt new capabilities to secure enterprise applications and data on a shared personal or corporate data device. Enterprises are embracing BYOD programs as an opportunity to invest in the secure productivity of their employees as opposed to a “cost of doing business.” Securing corporate data without making assumptions on device security makes enterprises less complacent and more rigorous in assessing and addressing security risks.

Enable Flexible Data Access

According to the survey, email access allowance is still king at 86 percent of responses, followed by access to documents, custom mobile applications and cloud services. Overall, structured data in enterprise databases is still deemed most valuable, with unstructured data a close second.

Our Take: Our devices enable access to critical enterprise resources. Sensitive data and transactions are accessed, stored locally and exchanged not only with data center apps, but also third-party services. BYOD enables a “personal” device image, but enterprises must take steps to secure local app execution, encrypt enterprise data where applicable and detect access and transactional risk.

Data Loss Doesn’t Equal Device Loss

The biggest mobile security risk, according to the survey, is losing enterprise data. In essence, the risk categories can be divided into three main areas: data (stolen, lost, unauthorized access), threat (fake apps, malware, exploits) and management (endpoint security, regulatory compliance).

Our Take: Enterprises must address each of these three dimensions through a holistic framework. Many enterprises have made progress on addressing the “lost device” scenario and data-loss risk with enterprise mobility management suites that enable a remote wipe of enterprise data from mobile devices. However, securing devices against compromise has a long way to go; this is partly due to the restrictions enforced by mobile OS vendors on the security community, which limits the ability to secure mobile platforms.

Mobility Impact: Tools and Resources

Enterprises are investing in resources (mostly security personnel) and tools (mobile device management and endpoint security solutions) to address the emerging mobile threats.

Our Take: Enterprises are taking steps to reduce mobile-related security risks. To minimize the burden, such resource allocation should occur in the context of a comprehensive plan that addresses enterprise-specific risk factors. For example, banks that provide online banking services to customers must address transactional risk from both laptops and mobile devices that they have absolutely no control over. Malware and phishing risks that are common to that environment should be assessed when new capabilities are rolled out (e.g., remote deposit capture).

Reducing Attack Surface: Beyond the Basics

Simple steps are the easiest to implement. Most enterprises require password protection to devices accessing enterprise data; this will deter the occasional thief but is probably no match for a focused adversary. Encryption and remote wipe provide additional layers of security.

Our Take: While these measures are a good start, security should be embedded in the enterprise mobility initiatives. For example, secure development practices and mobile penetration testing will reduce vulnerabilities that can be exploited by malware, thus reducing the attack surface. While the malware threat has quickly grown, its capabilities have slowly evolved on mobile devices. Recent developments should drive security teams to reassess the threat and the possible impact of credential loss on their enterprise security.

Download Full Report: BYOD & Mobile Security Survey

Summary

The survey shows enterprises’ increasing readiness to embrace BYOD programs. Enterprises are making investments in people and tools to manage the key risks to enterprise resources (applications and data), driven by mixing corporate and personal data and the evolving threat landscape. The business rationale for these investments is boosting employee productivity while improving security as a broader set of risks is taken into consideration; this is a no-brainer since we expect BYOD to become table stakes for virtually all enterprises in the next few years. Given the utility and importance of mobile devices to employees’ personal and work lives, this looks like a sound investment.

BYOD & Mobile Security Report from Holger Schulze

 

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read