BAE Systems Detica has taken a new look at the security of BYOD; but this time not from the corporate viewpoint, but from the user viewpoint. The result is a little surprising: users may be more open to co-operating with IT than the company thinks. An online survey of more than 4000 adults conducted by YouGov for Detica shows that almost a third of office employees (30%) think they should be made directly responsible for data loss or theft. Forty-four percent believe both they and the company should be equally responsible, while only 13% think it is solely the company’s responsibility.
Yesterday, 41st Parameter warned that cybercriminals will take the route of least resistance. “Since fraudsters typically attack the weakest point of ingress, and without the proper device recognition and detection systems in place, the mobile channel may soon emerge as their channel of choice,” it warned.
If that happens, it is the company and not the employee that is responsible for any lost data. In March of this year the UK’s data protection regulator (the ICO) warned companies: “Regardless of where the data is stored, you will have to take appropriate measures to protect against unauthorised or unlawful access, for example if the device is lost or stolen. This remains your responsibility as the data controller.”
The problem is that BYOD is clearly a weak point of ingress, and likely to be increasingly attacked by cybercriminals. But the Detica research shows that despite employee willingness to co-operate over security, they don’t really understand it – half of employees don’t recognise that their own insecurity might compromise their employer.
This is where the research is so revealing, and potentially promising. More than half of employees are willing to improve their security, provided that the company takes the lead. And more than half (53%) would not object to the company strengthening the security of their personal device, compared to just 26% who would object.
“Our research shows that there is a willingness of staff to engage in the security debate and to share the responsibility for security, but they are really looking for employers to take the lead,” comments Vincent Geake, director of secure mobility at Detica. “Businesses must capitalise on this and educate employees about the risks of using their own devices and non up-to-date security. This is even more pertinent given that responsibility for a security breach involving customer data lies with the company itself and not its staff.
The solution to the BYOD problem lies in better engagement with employees. “If management can step back from imposing and start engaging with staff, they will get further,” Geake told Infosecurity. “It’s about engaging with people to educate them about the importance of security rather than imposing a system. Most employees are neither ignorant of nor awkward about these issues and are willing to engage in these debates, so the challenge is for businesses to communicate the challenges around BYOD as effectively as possible with their staff.”