KnowBe4 and ITIC Latest Study Reveal Companies Lack Security for “BYOD”
According to new findings, KnowBe4, a Security Awareness Training firm, and research firm
ITIC, a large percent of companies do not have security procedures in place for “bring your
own devices” programs
CLEARWATER, Fla., September 4, 2012 While BYOD (bring your own device) deployments
have been among the biggest trends in corporate computing usage in the last 12 to 18
months, a recent study found that 71% of businesses that allow BYOD, have no specific
policies and procedures in place to support BYOD deployment and ensure security. The
study was conducted by KnowBe4, a security awareness training firm, and ITIC, a research
and consulting firm based in the Boston area specializing in conducting independent surveys
tracking crucial trends.
Nearly two-thirds of businesses now allow end users to BYOD and use them as corporate
desktop or mobile devices to access organizational data including email, applications and
sensitive data. BYOD usage does help businesses contain costs and lower the administrative
burden of IT departments as end users manage, maintain and in many cases pay for their
own devices, however: there is a huge downside to this trend: security.
Kevin Mitnick (former ‘most-wanted’ hacker), KnowBe4’s Chief Hacking Officer said: “Mobile
devices are the new target-rich environment. Based on lessons learned in the early days
of the personal computer, businesses should make it a top priority to proactively address
mobile security so they avoid same mistakes [of the PC era] that resulted in untold system
downtime and billions of dollars in economic loss.”
The ITIC/KnowBe4.com survey, polled 550 companies worldwide in July and August. The
survey found that only 13% of respondents said their firms have specific policies in place to
deal with BYOD deployments, while another nine percent indicated they were in the process
of developing BYOD procedures.
More firms are changing to the BYOD model. Legal services leader Foley & Lardner deployed
BYOD in October of 2009. According to a recent article, the firm implemented this program
to cut costs and enable their employees to work anywhere, anytime. The security issue on
personal devices is said to be protected from “within the secure confines of our data center”
(1).
BYOD can render corporations extremely vulnerable to security breaches. Unless the
corporation has strong, effective policy, procedure and security awareness training in place
to govern BYOD usage, the company and its sensitive corporate data could be put in a
precarious position in the event that a mobile device is lost, stolen or more likely, hacked, a
real possibility in recent times. (2)
Among the other ITIC/KnowBe4.com survey highlights:
Organizations are split on who takes responsibility for the security of BYOD devices.
Some 37% of respondents indicated the corporation was responsible; 39% said
the end users were responsible; 21% said both bear equal responsibility and the
remaining three percent were “Unsure.”
Presently, 51% of workers utilize smart phones as their BYOD devices; another 44%
use notebooks and ultra books, while 31% of respondents indicated they use tablets
(most notably the Apple iPad) and 23% use home-based desktop PCs or Macs.
A 57% majority of respondents said the end users purchased/owned their BYOD
devices; compared with only 19% that indicated the corporation buys and owns
them.
The top three challenges with respect to BYOD deployment were: difficulty of
management and support (63%); provisioning new applications (59%) and security
(48%).
ITIC principal analyst Laura DiDio added, “These survey findings should galvanize
corporations to safeguard their data in advance of an expensive and potentially crippling
loss or hack,” she said.
For necessary and vital security measures, every firm regardless of size should conduct
a risk assessment review, adopt the ‘defense-in-depth’ strategy and create a strong first
layer: security policy, procedure and security awareness training to deal with BYOD
deployments.
The “defense-in-depth” strategy’s security awareness training is an important element in
BYOD deployments, and Kevin Mitnick Security Training addresses that issue. This training
specializes in making sure employees understand the mechanisms of spam, phishing, spear-
phishing, malware and social engineering, and are able to apply this knowledge to their
personal devices used for and at the workplace.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based
Security Awareness Training to small and medium-sized enterprises. A data security expert
with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500
company Sunbelt Software, an award-winning anti-malware software company that he and
his partner sold to GFI Software in 2010. Realizing that the human element of security was
being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime
tactics through advanced Security Awareness Training. He and his colleagues work with
companies in many different industries, including highly regulated fields such as healthcare,
finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist:
The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
(1) ZDnet.com , August 23, 2012. “Legal services leader and SMB Foley & Lardner
makes strong case for BYOD” www.zdnet.com/legal-services-leader-and-smb-foley-
and-lardner-makes-s trong-case-for-byod-7000003094/
(2) “HP Research Reveals 56 Percent Rise in Cost of Cybercrime”; published on HP.com,
August 2, 2011. www.hp.com/hpinfo/newsroom/press/2011/110802xa.html
Media Inquires:
Karla Jo Helms
CEO
JoTo PR
Phone: 888-202-4614
