Employees’ desire for convenience and the enterprises’ need for greater productivity have converged in no small way to fuel the BYOD momentum. Because of the irresistible benefits that mobile brings, most organizations, it seems, are willing to bear the increased risk to information. But what, exactly, can you do to reduce the information security risks that personal devices bring to your organization? To what extent has your approach to end-user information security awareness evolved to educate your users about these new risks? If you haven’t done anything to address this need, then your risk management strategy has a substantial gap. And that gap is growing with each new device that signs onto your networks.
The BYOD phenomenon presents a classic inflection point, beyond which your vulnerabilities can mount exponentially, unless immediately and adequately checked. “But,” you might say, “we have a BYOD policy in place.” That may be true, but do your employees really understand the risks the policy seeks to mitigate? Are they willing to submit their devices to IT controls? Do they practice the behaviors known to increase device security? The fact is, your organization has most likely already been exposed to potential breaches and costly non-compliance conditions—most of which, if realized, will be found to be due to the negligence or, unfortunately, the ignorance of employees.
A telling survey by Globo reveals that most companies are not communicating their BYOD policies to their employees. More startling, however, the survey found that if IT were to clearly state that, as part of a BYOD policy, they had access to employees’ personal information, 93% of respondents would not participate in a BYOD program. (Most employees are also likely unaware that their personally-owned devices can be confiscated for discovery purposes should their employer be involved in litigation, or that their devices can be remotely wiped by the IT department.) And yet, as the Globo study also found, 69% of respondents said they would not consider breaking a company policy in regards to BYOD—even if they knew that they would not get caught. In other words, employees want to do the right thing—they just don’t what that means.
While this is clearly a problem, BYOD also provides a tremendous opportunity for IT departments to forge a proper human endpoint security awareness initiative. In fact, because of the high level of employee motivation associated with their personally-owned devices—who doesn’t want to protect their own phone?—there is a golden opportunity to introduce a security awareness program that not only addresses material BYOD issues and behaviors, but information security overall. Because BYOD represents such a key risk area for IT, it may also be the tipping point for creating a compelling business case for implementing a truly effective security awareness program now, when it is most needed, and while informational assets are most exposed. For once, user motivation is on your side.