Security group raises BYOD concerns

BYOD image

Bring your own device (BYOD) is proving increasingly popular but is causing concerns among information security managers, according to a global survey released by the (ISC)2 Foundation.

It showed that from 12,396 respondents, 53% said their companies allow employees, business partners or both to connect their own devices to networks, and 54% saw a need for more training on BYOD within the information security profession.

But 78% said it poses a somewhat or very significant risk, and 74% thought new security skills would be required to manage the risks. The biggest concerns are over the state of application security (72%), the cloud (70%) and how compliance requirements are affected by BYOD (66%).

The survey was conducted by analyst firm Frost & Sullivan for (ISC)2, a non-profit trust focused on cyber security.

It also shows that companies are more open to allowing user-owned smartphones (87%) and tablets (79%) onto corporate networks than laptops (72%). They are supporting a multitude of platforms, with iOS leading the pack (84%), closely followed by Android (75%); RIM Blackberry/QNS (62%), and Windows Mobile (51%).

"Whether approved or not, user-owned tablets and smartphones are connecting into corporate networks and cloud environments," said Michael Suby, Stratecast vice president of research at Frost & Sullivan.

"Furthermore, the escalating capabilities of these devices, such as dual-core processors and multi-gigabytes of storage, add to the level of risk these devices pose to corporate assets and sensitive information. The positive news is that information security professionals are using a growing array of security technologies to stem this risk."

The top technologies identified to mitigate risks include encryption, the use of virtual private networks, and remote lock and wipe functionality. Less than half (42%) are working with applications access control or authentication (40%), basic controls that exist on traditional IT infrastructures.

Wim Remes, a member of the (ISC)2 board of directors, said: "If approached correctly, with a focus on the data, BYOD can actually improve security and enable the business to compete at a pace that was but a remote dream half a decade ago," said Remes.

He warned, however, that current efforts are focused on the endpoint rather than on protecting business data and assets.

The main reasons given for using BYOD were to support a mobile workforce (64%), to improve end-user experience (60%), and to reduce operating costs (44%).

The full report of the 2013 (ISC)2 Global Information Security Workforce Study will be published in February.