Study Shows Most IT Departments Fail To Explain Or Enforce iPhone/iPad Security

Study Shows Most IT Departments Fail To Explain Or Enforce iPhone/iPad Security

A new study shows that IT departments are dropping the ball when it comes to mobile security.

Another study of the bring your own device (BYOD) phenomenon concludes that the trend of employees bringing the personal iPhones, iPads, and other devices into the office shows no sign of slowing down. It also confirms previous reports that indicate many personal devices being used in the workplace don’t have even basic security features enabled.

The study by Coalfire, a company the specializes in IT risk management services, paints a particularly grim picture of the lack of security for iOS and Android devices in the workplace. With the BYOD trend show no signs of slowing or ending, Coalfire CEO Rick Dakin, notes that companies cannot afford to keep ignoring mobile security concerns.

The BYOD trend is not slowing down, and while it has many benefits, it’s also introducing a number of new security risks that may be foreign to many companies. The results of this survey demonstrate that companies must do much more to protect their critical infrastructure as employees work from their own mobile devices, such as tablets and smartphones, in the workplace. Companies need to have security and education policies in place that protect company data on personal devices.

Coalfire surveyed 400 individuals working in a range of industries across North America and found that 84% of employees rely on a single smartphone for both work and personal use. The survey found several concerning statistics about the devices used by those employees.

  • 47% reported they have no passcode on their mobile phone
  • 36% reuse the same password
  • 60% are still writing down passwords on a piece of paper and 7% store passwords in an unsecured document on their Mac or PC

As disturbing as that last piece of data is, it was accompanied by some good news as about one-quarter (24%) of respondents report using password manager apps while 11% said that they store passwords in an encrypted document on their computer.

While that is disturbing news it does seem to fit with Coalfire’s findings about how proactive IT departments are being about mobile security and personally-owned devices.

  • 49% stated their IT departments have not discussed mobile/cyber security with them
  • 25% said that they had been briefed about security and password concerns by their IT department
  • 18% worked for businesses without an IT department (presumably for smaller organizations without the need or resources for a dedicated staff
  • 8% said they weren’t sure if an IT staff member had discussed security issues with them
  • 51% clamed that their companies do not have the ability to remotely wipe data from mobile devices if locked, lost, or stolen
  • 21% said that their companies did have the ability to remotely wipe their devices
  • 28% didn’t know if their IT department could remotely wipe a device or not

The study also uncovered similar results when it comes BYOD policies.

  • 37% said their employer had a formal policy of some type in place and an equal number (37%) said their employer did not have a policy in place
  • 26% said they weren’t sure if there was a BYOD policy

Asked who they would contact about a lost device, the majority (56%) said they didn’t know or weren’t sure. 15% said they would call their mobile carrier. Just under a third (29%) said they would call their company or IT department.

The key lesson here is that IT departments, senior executives, department managers, and even HR staff need to take a much more proactive role in engaging staff about their mobile device use. That engagement needs to include explicit education about policies, security risks, and potential actions that might be taken if users don’t follow security guidelines.

Related
  • technochick

    400 people. You are drawing your doomsday talk from that.

    A new low there Ryan.

  • rpaulsingh

    A bit of scare tactics by someone to sell their services. BYOD is for real and enterprises have to rethink security for mobile devices. Also protecting device is the wrong way to go and enterprises should focus instead on securing their data a point this article sorely misses.

  • akafel

    The issues with BYOD are real, and Ryan did a fine job summarizing the results of the survey. However, the emphasis of this survey is on protecting the mobile device which is just one aspect of BYOD Done Right. Many organizations such as universities don’t need to worry about protecting the device or data on the device – because these devices are owned by the users and implementing mobile device management (MDM) software on user-owned devices are not necessary and may run into privacy issues. A bigger and more important aspect of BYOD Done Right is protecting the network resources. And this must be done in the switches or WiFi Access Points by defining context-aware policies that provide intelligent Identity and Access Management (IAM) based on user, device, location, time of day, etc. My company is in this business and we have such a product called Mobile IAM http://www.onefabric.net/byod/index.aspx

  • Alfred2612

    400 people. You are drawing your doomsday talk from that.

    A new low there Ryan.

    Good grief. 400 people is a perfectly acceptable number for a survey of this type. It is a survey on business trends, not a pharmaceutical trial.

  • Alfred2612

    Great post Ryan.

    I think that when an employee wants to access company data on their own personal devices, they should be compelled to sign a contract or agreement, specifying how they use their device:

    * run relevant anti-virus software
    * have the device password (or PIN) protected
    * to never store passwords in e-mails
    * and so on

    If they don’t want to agree, they can’t bring their own device.

    Coz right now – even in some large Fortune 500 companies – an employee can have access to their work e-mail on their phone, which has no passcode on it, and their e-mail could contain passwords or other sensitive information about the company or about their customers. Phone lost? Whoever finds it has access to everything!

  • technochick
    400 people. You are drawing your doomsday talk from that.

    A new low there Ryan.

    Good grief. 400 people is a perfectly acceptable number for a survey of this type. It is a survey on business trends, not a pharmaceutical trial.

    When the author posits this as a reflection of a vast whole, 400 out of hundreds of thousands is not a ‘perfectly acceptable number’. But it is classic for Mr Faas. He backs up all his statements with flimsy to no evidence.

About the author

Ryan FaasRyan Faas is a technology journalist and consultant living in upstate New York who has written extensively about Apple, business and enterprise IT, and the mobile industry. In addition to writing for Cult of Mac, he is a contributor to Computerworld, InformIT, and Peachpit Press. In a previous existence he was a healthcare IT director as well as a systems and network administrator. Follow Ryan on Twitter and Google +

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , , , , , , , , , |