- A growing number of surveys highlight an ugly truth about BYOD programs: too many employees choose to ignore policies.
- CIOs and CISOs need to get creative and employ more effective carrot-and-stick approaches to ensure compliance, including the use of interactive security training and education as well as non-compliance impact on annual performance reviews.
As if CISOs didn’t have enough to worry about, a new survey that came out this week shed more light on an ugly little secret when it comes to BYOD: a significant number of employees think they have no role or very little role in protecting data stored on their smartphone or tablet.
The survey, sponsored by identity management vendor Centrify, found that 15% of the 500 employees it surveyed felt little to no responsibility to protect locally stored data. The survey, which polled employees in medium-sized to large enterprises, also found that over 15% said their personal accounts or passwords had been compromised. Moreover, 43% said they had accessed sensitive corporate data while on an unsecured public wireless network. This reinforces the findings of earlier surveys conducted by Absolute Software and Fortinet that also highlighted employee indifference to BYOD policies. The Fortinet survey last fall focused specifically on Gen Y workers between the ages of 21 to 32 and their attitudes toward BYOD policies. In that poll of 3,200 employees, slightly over half said that they would ignore their employers’ formal BYOD policies.
So, what can a beleaguered CIO or CISO do about these attitudes and behaviors? Get creative around employee education: Don’t just give them a lengthy policy statement to read and sign; employ interactive security training focused specifically on the types of bad mobile behavior that can get both the company and the employee in trouble. Make sure the employee understands in both business and personal terms what’s at stake. The study done by Absolute Software late last year found that nearly 60% of the 750 U.S. employees it polled thought the value of the corporate data residing on their smartphones was under $500 – a gross underestimation. CIOs can also require that security training be completed before allowing access from employee-owned devices. Or, they can require that employees sign a document which allows personal smartphone use at work only if the employee downloads a corporate mobile device management client. For higher-risk workers – those who routinely access sensitive corporate information – it may make far more sense to put an attractive ‘corporate-owned, personally enabled’ (COPE) program in place as an alternative to employee-owned devices and let the workers know activity monitoring is part of the deal.
I’ve also seen suggestions that employers make compliance with mobile security policies a part of employees’ annual performance review, and I think that can also be effective if there are real consequences attached to non-compliance. Employees will almost always make better choices when they personally benefit or avoid penalties from those decisions.
Of course, it would really help make the case for policy compliance if we saw a Target-sized, publicly disclosed breach caused by a non-compliant worker using their own smartphone. That event is probably just a matter of time, and it is likely to happen sooner than later.