Should security be responsible for BYOD policy?

The Bring-Your-Own-Device movement keeps charging forward. The trend of allowing employees to use their own devices to access their employer’s network and get work done while mobile continues to grow, with many estimates putting BYOD-allowing organizations in the majority. A number of estimates I’ve read put that figure in excess of 60 percent – about two-thirds of businesses – which now allow end users to BYOD and use their iPhones, iPads, Android-based smartphones, tablets, etc.,  to access organizational data including email, applications and sensitive data.

But this trend is rubbing up against security, and many organizations have not yet dealt head-on with the larger questions about BYOD’s implications for security and corporate privacy. A study published this month finds that 71 percent of businesses that allow BYOD have no specific policies and procedures in place to support BYOD deployment and ensure security. The study was conducted by KnowBe4, a security awareness training firm, and ITIC, a research and consulting firm based in the Boston area.

The ITIC/KnowBe4.com survey polled 550 companies worldwide in July and August. The survey found that only 13 percent of respondents said their firms have specific policies in place to deal with BYOD deployments, while another nine percent indicated they were in the process of developing BYOD procedures.

Among the other ITIC/KnowBe4.com survey highlights:

•Organizations are split on who takes responsibility for the security of BYOD devices. Some 37 percent of respondents indicated the corporation was responsible; 39 percent said the end users were responsible; 21 percent said both bear equal responsibility and the remaining three percent were “Unsure.”

•Presently, 51 percent of workers utilize smart phones as their BYOD devices; another 44 percent use notebooks and ultra books, while 31 percent of respondents indicated they use tablets (most notably the Apple iPad) and 23 percent use home-based desktop PCs or Macs.

•A 57 percent majority of respondents said the end users purchased/owned their BYOD devices; compared with only 19 percent that indicated the corporation buys and owns them.

•The top three challenges with respect to BYOD deployment were: difficulty of management and support (63 percent); provisioning new applications (59 percent) and security (48 percent).

As this study notes, only 13 percent of organizations polled have a BYOD policy. That figure sounds very low, but I suspect it will grow dramatically in the next 12-24 months. So, what should security’s role be in developing BYOD policy at their organization? Security leaders we’ve spoken to at CSO know this trend isn’t going anywhere, and are adjusting their security strategy accordingly.

For example, one of CSO’s 2012 Compass Award winners, Kristin Lovejoy, IBM’s VP of IT risk, positioned her IT risk department to find solutions, not veto plans, for BYOD at IBM.

From CSO contributor Constantine Von Hoffman’s piece on Lovejoy:

Lovejoy, who had previously been vice president of security strategy at IBM, says that instead of waiting until BYOD was planned out, she and her team got involved at the start. In fact, her department helped create the business case for letting employees do this. By the end of the first year, the initiative was supporting 100,000 devices. This allowed employees to use social media to further IBM’s business agenda, and to adopt cloud computing on a wide scale.

Lovejoy knew that by getting her department involved at the outset, it made security part of enabling the technology, and took them away from them often-dreaded label of “the department of no.” If you’re just getting started on BYOD policy, check out these tips on good questions to ask before creating a BYOD policy in Mobile device security: 5 questions to ask when creating policy.

Where does your organization stand on BYOD? Are you allowing users to access your network, check work email and store corporate information in cloud-based services with their own devices? If you are, does your organization have any policy in place to mitigate some of the threats associated with BYOD, such as device theft, or infection via malware unwittingly downloaded users? Leave a comment with your thoughts or email me at jgoodchild@cxo.com.