Private Devices Catch Companies Unaware

More than one in two organizations are unprepared to deal with security breaches to their corporate and employee-owned Bring Your Own Device (BYOD) notebooks, tablets and smartphones.

According to a recent study by ITIC, a research and consulting firm, and KnowBe4, which trains companies in security awareness, half of businesses also say their BYOD devices may have been hacked in the last year.

In “2014 State of Security,” the firms polled 250 companies worldwide. More than half the organizations surveyed (55%) have no plans to beef up security measures, despite the recent spate of security attacks against companies like Target, Skype Snapchat and others.

But BYOD is a fact of office life these days, and most businesses allow employees to bring their own devices to use as corporate desktop or mobile devices that are used to access work email, applications and sensitive data.

Approximately half the survey respondents said their employee and company-owned BYOD devices had not been hacked, compared with about 10% that indicated that desktop devices and smart phones were compromised.

More than two out of every five businesses (43%) have no designated BYOD security policies. Only 13% have policies in place to deal with BYOD deployments; another 9% are developing BYOD procedures. Two out of five businesses admitted they were “unsure,” “had no way of knowing” or “do not require employees to inform them” if their desktops or BYOD devices have been hacked.

Some 45% of businesses take additional security measures, including installing the latest security fixes and patches, conducting security audits and vulnerability testing and initiating computer security training for IT and end users.

Strong anti-virus, intrusion detection and firewalls are the most important/critical element, said 80% of the firms surveyed, and are the most effective mechanism to safeguard their networks, followed by endpoint security.

Some 60% cited physically limiting access to the server room/datacenter and providing end-user security awareness training as crucial to security.