A recent study by Champion Solutions Group showed some very surprising results. While we have come to rely on mobile devices as a critical aspect of business communications, the research found glaring deficiencies underlying the administration of those devices.
Champion surveyed 447 IT decision makers, from a wide variety of sectors, looking to find what is the state of the practice in mobile policy enforcement and security.
The key takeaway is that we’re still in the early stages of dealing with the explosion of BYOD in business. Less than one-half of businesses polled have a formal BYOD policy, and less that one in five requires multifactor authentication for mobile.
The findings give a pretty clear picture of a split in BYOD approaches, but many companies are quite immature in their approach:
- Organizations are nearly evenly split between those that have a formal BYOD policy (47 percent) and those that do not (53 percent).
- When it comes to password policies, most organizations favor complex alphanumeric passwords of six to 10 characters.
- More than three-quarters (77 percent) of those polled have policies to lock out devices after multiple failed login attempts, usually between three and five failed tries.
- Around 72 percent of organizations require re-authentication of mobile devices after periods of inactivity, with most opting for lockoutafter five to 15 minutes.
- The vast majority of those polled have provisions in place for expiring passwords and prohibiting reuse of old passwords.
There is really no reason that companies can’t roll out a BYOD policy in short order, to allow employees to use their devices but to protect the company at the same time. Here’s a policy template from IT Manager Daily, for example, that requires the company to detail what is and isn’t allowed — such as prohibiting or allowing cell camera use while in the company’s facilities, or enumerating which apps are prohibited and spelling out in detail what the security policies will be.
Most importantly, according to Matt Karlyn, of Cooley LLC, a tech savvy law practice, a good BYOD policy will clarify the rights of both the company and the employee. His advice is that a good BYOD policy lays out general rules about personal mobile device usage.
It clearly articulates what the company’s rights are with respect to monitoring, accessing and reviewing all the data stored on, processed or used by the particular device. It goes through the employee’s obligations with respect to keeping the device secure, password requirements, all the things you’d expect to see in a general IT policy. It talks about what happens if you’re terminated or decide to leave the company.
Karlyn concludes that one of the goals should be to avoid any surprises, for example, when litigation or other events lead the company to access or wipe the employee’s device.
As the market for smartphones continues to grow, these issues will become only of greater importance. Market research firm IDC has predicted that nearly 2 billion smartphones will ship globally by 2019, and as much as 60 percent of them will be used in BYOD settings. MarketsandMarkets have projected that to be an over $250 billion market, a 200 percent spike in six years.
Given that sort of growth, it may be unsurprising that formal BYOD policies and security provisions aren’t ubiquitous, but companies will have to get on the dime if they want to sidestep the dangers inherent in informally managed BYOD. Both companies and employees will need to understand and set policies to manage data securely.
This is only going to grow in importance as employees begin to bring other devices to work, and not just smartphones and tablets. When corporate information can find its way to smartwatches, augmented and virtual reality gear, or other connected devices, we’ll have to expand the purview of BYOD policies.
Consider the recent concerns about ‘Hello Barbie’, a doll that can listen to conversations, upload the audio to a server with AI capabilities to interpret them, and then to respond intelligently. The basic idea seems appealing, superficially. Wouldn’t it be nice to have a doll that can talk with your child, and ‘get to know them’, quote unquote. But it winds up in creepyville, when such a toy could be building a profile of your children’s interests. Or simply archiving a record of everything it hears your child say.
So even something as apparently utilitarian as an Amazon Echo in the lunchroom, that listens to requests and queues up music, poses some of the same security questions as a smartphone in a confidential meeting. And such devices — all 21 billion of them in 2020 — will have to be considered as part of an overarching BYOD strategy, and soon.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.