BYOD security problem: Less than 10% of tablet owners use auto-lock

BYOD security problem: Less than 10% of tablet owners use auto-lock

Summary: More of us are bringing our smartphones and tablets to work, but very few enable even the most basic security measures. This can lead to major problems if a device is lost or stolen so please at least enable auto lock with a password.


I work for a 67 person engineering consulting firm and every smartphone in the office is brought in by the employee. No one has an Android tablet, but there are about ten people with iPads that connect to our Exchange server. I keep my devices close at hand, but still enable the screen lock function on my phones. I don't have this turned on for my iPad now and actually wasn't too shocked to read an ESET/Harris Interactive study that shows less than 10% of people using their own tablets for work auto lock them.

Graphic provided by ESET

As more and more people bring their own smartphone and/or tablet into the office, it gets to be quite difficult and costly for IT managers to control access to company data and information. Security professionals have been concerned about BYOD for a while, but as the mobile device market continues to grow the potential security issues are increasing and the data shows that employees aren't really taking things seriously.

According to the study, the following was measured:

  • Less than 10% of people currently using their own tablets for work have auto-locking enabled.
  • People were more security-savvy about their smartphones, with 25% using autolock.
  • One third of laptop users have auto-locking enabled, which means two thirds do not.
  • Auto-locking with password protection was enabled by less than half of laptop users, less than a third of smartphone users, and only one in ten tablet users.

I have a lock on my laptop at work, but think it is actually more important to have a lock enabled on a tablet that you carry around (potentially easier to leave behind too) and take home with you. If you use and connect through Exchange then it is likely that your IT manager can remote wipe your device if lost or you can do it yourself through Apple, Microsoft, or 3rd party services if you have this functionality enabled on your device. I have password lock enabled and remote wipe capability on my phones, but I do need to take some time to secure my tablets.

BYOD enables you to get access faster, respond and interact with clients from more locations, and have devices that you want to actually own and use. However, companies need to create and enforce policies that give at least some minimal security protection. Auto locking and password protection is easy to enable on mobile devices and the few seconds it takes to unlock your device is worth it.

UPDATE: An example of how serious a problem this can be is posted over on Ars Technica where they report that 99% of NASA's portable devices are unencrypted.

[poll id="22"]

Related posts

Topics: Smartphones, Hardware, Laptops, Mobility, Security, Tablets

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I have my phone set to Atuo lock.

    I can also remote lock, wipe, and track it through iCloud. But being it is my personal device, I will not let anyone else enforce their policies on it. If the company wants that much control, they should get me a blackberry on their dime.
    Jumpin Jack Flash
    • You don't get it

      If you don't want them enforcing their policies on your device, then don't connect your device to their systems (including email). If they want you to get your email 24x7 and you don't BYOD then it's up to them to supply you with a device.
    • Read your IT policy again

      If your employer's IT policy specifically states that all devices that connect to and/or use apps stored on the company network, then even [b]your[/b] device has to be subject to those restrictions if you want it hooked in.

      And BTW... you probably signed a document stating you had read, understood, [b]and would abide by[/b] those policies, either when you were hired or when the policy was implemented.
  • It's easy to enable the force password lock policy on Exchange

    But my users doesn't want it because "THEY" think they own the device and doesn't understand why connecting the company's email changed their lock screen.

    There really should be an option of just password locking contact and email app, but neither Android or iOS offer this option.

    The funny thing is people who don't care about their phone is company or not don't mind their phone enforcing password locking policy, yet people BYOD annoyed a great deal of it. Makes me think that people who wanted BYOD don't really deserve it.
    • BYOD

      Bring Your Own Device. Again if the company is not paying for it, they have no right to tell me what to do with my property. It would be like the company requiring all employes to drive green Ford Focuses. It's not going to happen. No if the company is paying for it, then they have a say. Like I said, if they're going to give be a Blackberry, on their dime, it's one thing. Until then, it's my phone, so they have no say.
      Jumpin Jack Flash
      • RE:BYOD

        No that simple. Your company's email is not your property and they have every rights to lock that down.

        Like I said there just no granularity of locking only company portion of your device which means once you connected your company's email you have to accept the company policy that will apply to the whole device and it doesn't matter is it iOS or Android.

        You have an option of NOT accessing your company's data with your own property and nobody should force you to go BYOD. Likewise, your company shouldn't requiring all employes to drive green Ford Focuses, but if you're getting subsidies for your car purchasing, don't be surprised that they impose limit on your purchasing options.
      • I think you're missing my point.

        Unless the company is paying for the phone, they have no say as to how it is set up. If a company is that concerned, they should be issuing Blackberries to employees. You can't have your cake, and eat it too. The IT department is there to serve the employees. not the other way around.
        Jumpin Jack Flash
      • The IT department is there

        to protect the companies data among other things. If you don't like their policy, don't connect YOUR insecure device to their resources including their internal WiFi.
      • RE:BYOD

        Never posted before but your ignorance of facts forced me to. Your argument is if I own it I can do what I want with it. That is 100% wrong. Your company owns its data and it can dictate the conditions in which it can be transferred to a none company owned device such as the device must have a password it must be encrypted, they must be able to remotely wipe the device etc. Furthermore certain industries such as medical and finical have laws and regulatory bodies that may dictate mobile device policy. SO to sum it up if company data touches a personal device you give up some of your rights over that device its really this simple If you cannot compile with those conditions then don???t use a personal device for work.
      • Company's Right

        They only way you can keep your personal device personal is not to connect it at all to the company's network or email or use it for any work related purposes. The company has just as much right to protect their data an interests as you do for yourself. We tell all our employees that they can connect their phones/tablets to our email system but it can be wiped and disabled at any time with or without warning. We already have had a few teachers have themselves compromised by leaving their phone or tablet where a student could get their hands on it. Some of these teachers have lost the ability to use their email on a personal mobile device because of it.
      • But you're not paying for the network.

        @Junpin Jack Flash

        Yeah, you paid for the phone. But you didn't pay for the company network you want to hook it up to. You're not paying for the software your company uses that you want to access on your smartphone. And you're not paying for the liability insurance & other steps they have to take to safeguard the data on the company servers.

        Guess who paid for it? That's right: [b]the company[/b]. And as I noted above, if the company's IT policy has specific restrictions on how the data & apps can be accessed, or if they have specific restrictions regarding apps and/or permissions that run on any device that accesses the company's data & networks, then you already signed the form stating you understood [b]and would follow[/b] that policy [b]as part of the terms of your employment[/b]. So, before you plan to "go BYOD" and refuse to follow IT's restrictions, you might want to reread your HR manual first...
      • It is a bidirectional relationship

        Why do you want to BYOD? Something has to be in it for you to even bother.

        Perhaps you don't want to carry two tablets or phones around. That is your consideration (as in the legal contract term) in the exchange. The company's consideration is that they can dictate, and perhaps enforce, minimum security requirements.

        The other scenario is that the company mandates you supply your own device. Then your consideration is being employed and hopefully you are getting remunerated enough.

        Both of these scenarios are what you choose to engage in. Otherwise don't expect to be able to use your device on the company's resources on your own terms.

        At one contract, I could not bounce company emails to a non-company account, so I couldn't use my phone even to keep track of emails. However, I could redirect all calls to my mobile, but probably only because they couldn't check that the target phone number was one of theirs.

        Now for the boot on the other foot. How many have used company supplied devices for your private purposes? How would you react if they strictly enforced a 'their device-their data only' policy?
    • For android, there is a 3rd party app.

      When our company implemented their lock policy, I looked at options that would only block the email/contacts and not everything. TouchDown does lock just the email/contacts, but comes with tradeoffs. First, it's $20, which no one (me or company) would pay. Second, calendar/contacts aren't integrated with standard ones. So it's a little funny that the company wants you to use your own device and wants to lock down their email (reasonable request), but won't even pay $20 to do it.
      • Who is wanting the BYOD?

        Very few companies want BYOD. It is mostly being pushed for at the employee/contractor end. So why is it so important for you to BYOD?

        If you can answer that, then you have your benefits, in exchange for which the company can rightly extract its consideration.
      • Android is security hell

        Google does not vett their apps and your next app may contain a keystroke logger which remains even after you delete the app.
    • re:

      "Your company's email is not your property and they have every rights to lock that down."

      So, why do BYOD at all if they want that type of control?

      Makes no sense whatsoever. This is why I think BYOD is DOA. There's simply too many conflicts of ownership.

      And this is why, should I ever work with a company that demands BYOD, there's no way in heck I'm using my own personal device. I'm buying a new one JUST for work purposes and nothing more. It's going to be the cheapest one possible.
      • Exactly

        But some don't want to carry two devices.
  • BYOD IS a security problem . . .

    "BYOD security problem"

    BYOD [i]IS[/i] a security problem. Are businesses really naive enough to think that users are gonna be serious about securing their own personal devices?

    Frankly, I think BYOD is a bad idea to begin with. It has very little benefit with lots of potential drawbacks.
  • Connected networks and your OWN property

    You own your own property. If I *allow* you to connect your own property to my corporate network, I dictate the terms on which it is allowed. I set the policies. You have a choice, connect and leverage the advantages of bringing your own device to my corporate network, or don't and retain control over your decision to keep your data accessible to anyone who gains physical access to your device. That is real simple.

    I'm assuming that MOST BYOD scenarios involve people who WANT to join their personal devices to the corporate network. I don't think many places require MANDATORY BYOD equipment - so that argument seems a far stretch to me. In that case, the answer seems simple. If your company will not pay for corporate devices, REQUIRES you to bring your own, and then wants to exert that much control over the device they've required YOU to purchase - for God's sake man, find another place to work. If they're that unwilling to invest in making you productive and that demanding in this regard, it is going to be a thankless place to work in countless other more important ways, as well.
    • My point is thjis...

      I am surprised no one has figured it out yet. If the company is not willing to pay for the device, they do not get to set the rules. If they are willing to pay for the phone,laptop, etc, that's quite different. A company can't refuse to pay for a mobile device, then have control over said device. That would be like having to pay to work for the company. If the company needs that much control, then they need to buy Blackberries for the employees. BYOD is not a good idea at all.
      Jumpin Jack Flash