Researchers explored the implications of allowing employees to bring their own devices for sensitive work tasks.
A new report from cloud security company Bitglass found that employers are losing control of their enterprise’s cybersecurity reins due to the explosion of the bring your own device (BYOD) trend.
Researchers surveyed IT professionals and cybersecurity workers to explore how organizations are dealing with the move toward allowing employee-purchased devices to be used within the workplace. Nearly 70% of respondents said employees are allowed to bring their own devices to work while more than 20% said contractors and partners were also allowed to.
But now that data breaches have become a daily occurrence, the security concerns around the use of personal devices has given cybersecurity experts pause. According to the survey, 63% of respondents expressed concerns about data leakage, insecure app downloads, or unsafe content.
More than half of survey respondents said they had concerns about malware and unauthorized access to company systems and data.
“The top two reasons enterprises hesitate to enable BYOD relate to company security and employee privacy,” said Anurag Kahol, CTO of Bitglass. “However, the reality is that today’s work environment requires the flexibility and remote access that the use of personal devices enables.”
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
For 47% of respondents, the inability to control endpoint security and the logistics around device management were also major security concerns.
“While many have embraced BYOD as a core initiative, others have resisted its adoption. The top two reasons enterprises hesitate to enable BYOD relate to company security (31%) and employee privacy (15%). Despite this, there are ways to safely enable employees to work from personal endpoints without violating their privacy,” the report said.
The problems come to a head when IT teams ask to secure personal devices. According to the survey, many employees are extremely reluctant to give their employers access to personal devices, even when they are used for work-related tasks.
Nearly 60% of respondents said they need physical access to a device before it can be used for work purposes and another 52% said they need the device PIN. Other respondents said they need root access, passwords to cloud accounts or backups, and more. The study notes that all of these are a violation of user privacy but are necessary when securing mobile devices.
Another major concern expressed by IT officials in the survey is visibility into specific applications on personal devices. Most workplaces now use a variety of digital tools to share documents, files and messages, but these have to be secured considering how common email-based cyberattacks are these days.
The study references a recent attack on Presbyterian Healthcare Services that was leveraged through the email accounts of employees. More than 70% of survey respondents said they had visibility into email accounts on personal devices while 57% said they had access to calendars and contacts.
But IT teams have even less control over shared files, connected workplace apps, with 30% of respondents saying they have no visibility or control over mobile enterprise messaging.
“Despite the fact that mobile enterprise messaging apps are being used more than ever, most organizations lack visibility and control over them, creating a large number of opportunities for attackers to compromise these SaaS apps,” the study read.
“Users can quickly share sensitive information like customer credit card numbers via chat or by sharing a file through the app. This information can then be stored or shared by the personal devices on which it is accessed or downloaded.”
Less than 30% of people who spoke to researchers said they had access to messages shared over private channels or control over external collaborator permissions. Employee privacy is the main issue for both IT workers and employers. According to the report, most employees balk at having their privacy invaded by employers, even when it is in an effort to protect the cybersecurity of an organization.
The situation has been exacerbated by the fact that millions of people are still working from home, giving organizations even less purview over device security.
“To remedy this standoff, companies need comprehensive cloud security platforms that are designed to secure any interaction between users, devices, apps, or web destinations,” Kahol said.