BYOD: Filling the Policy GapsAwareness of Mobile Vulnerabilities Is Top Priority
What steps can organizations take now to fill the gaps?
"It really all begins with a policy," says Vander Wal, ISACA's international president. "What's allowed and what isn't allowed should be clearly addressed in the enterprise's security policy."
Yet, those policies are only as effective as employees are familiar with them. "I would suggest it all start with fostering some sort of culture of security awareness," Vander Wal says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
"It's been true forever: People are the weakest link in a security chain," Vander Wal says. But people also can be strong assets to good organizational security.
"Embedding security awareness into the regular communications and into training and performance evaluations will clearly help foster that security culture that's so critical," he adds.
ISACA recently conducted its fourth global online consumer shopping survey, this time examining the BYOD angle. The findings - which culled data from ISACA's 4,700 global members and more than 1,200 U.S. consumers - suggest the line between corporate-owned devices and personal devices is blurring. And a large number of IT professionals say the risks of BYOD outweigh the benefits.
But BYOD is not going away. "I think it's very important that we try to turn that around, so that in fact we can state that the value will outweigh ... the risk."
During this interview, Vander Wal discusses:
- Why all corporations need clearly stated and enforced BYOD policies that are updated and reviewed at least once per year;
- Global variations in BYOD security policies and perspectives;
- Workforce generational gaps that are making BYOD an overwhelmingly popular trend.
Vander Wal is a member of ISACA's IT Governance Institute Board of Trustees as well as its Guidance and Practices Committee, Knowledge Board and Strategic Advisory Council. He also is co-author of IT Control Objectives for Sarbanes-Oxley, 2nd Edition. Before taking on the his executive role with ISACA, Vander Wal was the national partner at Ernst & Young and was responsible for the firm's global IT quality and risk management program. With more than 40 years of IT experience, he has worked in multiple areas of information systems in a variety of industries, including IT auditing, systems security, quality assurance, systems development, systems programming, and project management. Before joining Ernst & Young in 1979, Vander Wal worked at the Pentagon, where he developed systems to support the Department of Army staff and for a computer software company.
TRACY KITTEN: This is the fourth year ISACA has conducted its global online consumer shopping survey. What stood out about the results this year from years past?
KEN VANDER WAL: In terms of what stood out, we actually examined a new angle this year and it's called bring your own device. As usually is the case with technology, it has become an acronym of BYOD. What we're really referring to is where employees' personal devices are used for work and often connected to the corporate network. The study, which consisted of two different parts, the survey of over 4,700 ISACA members and a consumer survey of more than 1,200 U.S. employees, found that BYOD is rapidly increasing. [It's] actually not surprising, this is especially true with our younger workforce. For example two-thirds of employees between the ages of 18 and 34 say they have a personal device that they also use for work.
KITTEN: With the workplace BYOD survey, how do these results compare to trends that you've been seeing in the industry overall when it comes to bring your own device?
VANDER WAL: They're really very much in line with what we're seeing in the industry and what I've seen in the industry. Our ISACA members because of their roles report being increasingly challenged by the BYOD trend as more and more employees want to use their own devices to fulfill what are really their personal and their business needs.
Key Survey Takeaways
KITTEN: What are the key takeaways from this survey, in your opinion?
VANDER WAL: I think one of the key takeaways is that the line between corporate-owned devices and personal devices are blurring. Now what becomes very important is to have policies and security awareness training, and that's to ensure that the right controls are in place to protect both corporate information as well as personal information. Currently there are a large number of IT professionals that would still say the risk of BYOD outweighs the benefits. Well, BYOD is not going to go away, and so I think it's very important that we try to turn that around so that in fact we can state that the value will outweigh, or does outweigh, the risk.
KITTEN: In the U.S. as well as abroad, online consumer shopping this holiday season is expected to remain about the same level or increase. I don't think that we'll see a decrease in online shopping. What security concerns does this mobile channel pose for employers, especially when it comes to this mix of corporate-issued and personal mobile devices that consumers will be using as they shop this year?
VANDER WAL: I think there are actually a fair number of them. A recent Deloitte study ... showed that 87 percent of executives felt at risk from a cyber attack that would originate from a mobile-security lapse, so that obviously is a big concern for enterprises. Our survey found that the use of mobile shopping apps will triple this year. A clear, related concern to that is how secure are those mobile apps that are being accessed? Then another concern relates to what we've been discussing, the increased use of BYOD devices. Our survey indicates that employees will spend ... an average of 32 hours if they do online shopping, and of those 11 hours are going to be spent using BYOD devices, in other words, devices that are used for work and personal purposes. And most of these devices are needless to say tablets and smart phones. What does that mean? Mobile phones are more easily stolen or lost, or may connect to sites using less-secure networks. They are also less likely to have the same level of protection as a desktop computer that is owned by the company. However, that's really not to say that consumers should avoid mobile devices. Rather, enterprises should be using the resources like ISACA's "Securing Mobile Devices" white paper to help ensure security measures are in place. There are lots of other guidelines as well as to what they can do to obtain the level of security that's needed.
Domestic and International Comparisons
KITTEN: I noted earlier that this survey looks at domestic results as well as international results, and I wanted to do some comparisons here among the global markets. The results collected from these other global markets, such as Western Europe and Asia Pacific, where the use of corporate issued or mix-use mobile devices for online shopping are concerned, what were some of the results that you saw there relative to the domestic results?
VANDER WAL: What we found is that a larger percentage of our IT professionals in Australia and New Zealand actually believe that the risks and benefits of BYOD are equally balanced. It was actually the only region that did not generally say that the risks outweigh the benefits. Now interestingly you mentioned Europe as well, and in Europe we find that organizations are less likely to allow their employees to use personal mobile devices for work purposes, so two kind of interesting contrasts there.
KITTEN: I wanted to also ask about some of the specific security risks. What risks do these so-called BYOD programs pose?
VANDER WAL: As I indicated earlier, you generally will have more stringent security controls in place over company-owned devices, versus the BYOD devices. Without these protections, your personal mobile devices are much riskier to the organization, to the enterprise, as they may be more susceptible to things like hacking, malware, loss and theft. The other problem is, unless it's stated in the policies, enterprises may not have much control over the data that gets stored on these devices, especially the corporate data.
Filling the Gaps
KITTEN: Talking about policy, your survey actually shows that work place BYOD policies are either infrequent or there's low employee awareness about the policies within their organizations. What can employers do to fill some of those gaps?
VANDER WAL: It really all begins with a policy. BYOD, what's allowed and what isn't allowed should be clearly addressed in the enterprise's security policy. The way technology is changing, that policy should be updated on at least an annual basis. Then, once you have the policy, the communication of that policy becomes key. Policies are really only effective when employees are familiar with them and understand the importance of complying with them, and I think the survey of our 1200 consumers really supported the need for an understanding of what the policies are and what they need to be doing.
KITTEN: What specific measures can businesses and organizations take to enhance employee awareness within their companies?
VANDER WAL: I would suggest it all start with fostering some sort of culture of security awareness. It's been true forever in that people are the weakest link in a security chain. But having said that, [people] can also be significant assets to good security, so embedding security awareness into the regular communications and to training and performance evaluations will clearly help foster that security culture that's so critical.
KITTEN: Could you tell us if there are any global variations or varying security concerns that exist in certain global markets and maybe perhaps if you see certain campaigns taking place as far as employee awareness that aren't taking place across the globe?
VANDER WAL: We had a pretty good representation from our global regions if you will, more than 4,700 ISACA members from six different regions. We were able to determine some trends. Overall, the results are similar with some differences. We discussed one and that was where Oceania was the only region where actually a larger percentage of respondents believed that the risk and benefits of BYOD are appropriately balanced versus all the other areas where more respondents said that the risks outweigh the benefits. And despite that every region except Europe generally allows personal devices to be used for work purposes, European respondents were more likely to say that their enterprises limit or prohibit BYOD devices. One other variation in the responses to note is that respondents in Europe, North America and Oceania said that their enterprises allow employees to use company assets and time, and this is interesting, for personal purposes to promote work-life balance, while those in Asia, Latin America and Africa say that their enterprises generally restrict employees using IT assets due to the security concerns. So there's somewhat of a 50/50 split there amongst our six regions.
KITTEN: What are some of final thoughts or general takeaways from the survey that you would like to leave our audience with?
VANDER WAL: One of the things that I think we found is that there's still a fairly large gap between what IT departments are doing and what employees may realize, and this kind of came out more so from our consumer survey, because with our ISACA member survey they're probably closer to what IT is doing. The task really at hand is to minimize that gap with the intent that we can then promote good security, embrace it and educate employees on the risks and how to provide the appropriate level of security. It's a combination of technology, as well the policies and communication that we talked about earlier. The full survey is available on our website, www.ISACA.org, and then they can click on the survey that's on that homepage.