BYOD mobile workers thumbing nose at IT security

BYOD mobile workers thumbing nose at IT security

Summary: Nearly one in four BYOD mobile workers with smartphones and tablets are employing workarounds to bypass IT controls on corporate data.

TOPICS: Security, Mobility

Nearly 25% of mobile workers say they employ some sort of workaround on their smartphones to bypass IT controls and get at corporate data, while 12% of tablet users say they use similar tactics, according to the quarterly iPass Mobile Workforce Report.

While securing corporate data doesn’t seem of importance to some mobile users, their attitudes change when security involves their own data. Three out of four mobile workers said they use a passcode lock on their smartphones and 40% say they use one on their tablets, according to the iPass report.

iPass is a provider of global wireless networks.

Mobile workers’s desire to protect their data is a bit misguided, however, as passlocks are a notoriously lax form of mobile device security.

With Bring Your own Device (BYOD) becoming a major trend in enterprise computing, IT departments would be wise to saves users from the dangers of their own actions, according to the reports authors.

However, that is more easily said than done. There are a number of optioins to consider. Work is being done in the areas of authentication and authorization to automate access controls, using technologies such as OAuth 2.0, and in the areas of mobile device management and data encryption.

According to the survey, some IT departments are using remote wipe capabilities as a line of defense against data loss with 55% of mobile workers saying they are required to have the capability on smartphones while 30% say it is required on tablets.

Nineteen percent said they are not required to have wipe capabilities on their smartphones, while 10% said they don’t have it on their tablets.

Overall, 74% of companies require some form of security to protect corporate data on a smartphone and 24% require that protection on a tablet.

Those that try to bypass the security say they have their reasons: 16% said IT is slow in responding, 21% said they needed to do something immediately and could not wait for IT, 10% cited strict IT policies, and 9% said it was too much hassle to deal with IT.

The survey concluded that the sense of ownership that accompanies BYOD may be encouraging mobile workers to bend IT rules and take the attitude of ‘my device, my rules.’

The iPass survey predicts the next area of clash between IT and end-user clash will come over BYON, Bring Your Own Network, where mobile workers will bring their own roaming plans from their service providers. iPass said enterprises will have to consider connection managers to enable seamless handovers between networks, universal access methods and an open footprint to Wi-Fi networks.

The iPass Mobile Workforce Report was built from surveys of 1,200 mobile workers at hundreds of enterprises worldwide. The survey was conducted between June 19, 2012, and July 13, 2012.

Topics: Security, Mobility


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How long before Apple sues "iPass"?

    Still, most end users have zero concept of security... amongst other issues, but that's the downside to having spoonfed sheep as employees...
    • abuse...

      I wonder if my mechanic calls me names because I'm not trained to overhaul engines. Or if my doctor belittles me because I'm not trained to interpret EKG results. I hope not. It seems a bit immature to me to be calling people operating out of different diciplines than your own disparaging names. I see that way too often in these blogs. Please, more maturity.


  • No surprise here. IT must realize that a large percentage of employees

    do not or minimally care about corporate data security. No amount of wishing they would will change that. Any corp (IT) that allows ios/android devices access to corporate data is just asking for data breach. It should fully expect to see sensitive corporate data made publicly available on the internet as a result. IT's responsibility is to enable scenarios to the extent they can without crossing the line to allowing insecure devices data access. If this cuts off some byod devices it's a necessary tradeoff. These employees that arent concerned about corporate data security need to have their eyes opened.
    Johnny Vegas
  • Future headline

    "BYOD workers filling unemployeement lines"

    The last thing any company needs are some rogue employee who feel data goverance and compliance controls are "getting in there way". For workers who feel like this I'd like to find a way to make them accountable for the various violation fines companies get slapped with.

    "Company XYZ who had a reported a lost iPad with thousand of contract details has since fired employee Frank Smith for violating their data protection policies. Company representatives will be filing a lawsuit for breach of company policies, wrongful fines and seek compensation".

    Maybe a few people going bankrupt and having their lives ruined will send the proper message or even better whenever a company has a data breach, put the blame squarely on the employee at fault.

    Seriously thought our BYOD policy has clear language of acceptable usage and those violating said policy get a warning, suspension and up to termination.
    • You place the blame in the wrong place

      You make the employee the main culprit. It was the COMPANY who decided to be cheap and save a buck by having employees bring their own devices. Therefore, it's the COMPANY's responsibility to make sure the data is secure. If the company doesn't invest in an effective mobile device management solution, I'd like to see how successful your scenario would be in court.

      Bottom line is: how much is the data worth to the Company? Is saving a few buck on cell phones and tablets worth the value of the data that *will* ['cause it's gonna happen] be lost? How much will the company spend on an MDM solution and lost data vs paying for devices, locking them down the way they want and minimal data leakage?

      Suing employees let Comapnies hang heads on stakes outside the city walls to make a point. But that creates a snowball effect including hostile work environment, low moral and loss of customer loyalty.
      • Agree whole-heartedly that the blame is in the wrong place

        IT security protects data and services. These are valuable company assets that should be protected as part of an organization's risk management plan. As with any other asset, company management is accountable to the board, and the board accountable to shareholders. Company management must set the requirements for IT to execute. If employees are circumventing this they are not complying with company policies. Still, IT must make the effort to make security as painless as possible.
      • Not really

        I see most BYOD people as ones who don't care for the "uncool" devices that the business provides or ones who cannot justify the expense for the company to provide a phone.

        Unfortunately they have discovered how to go around the controls in place and too many managers are turning a blind eye because they are getting extra work outside of work hours from these people.

        For now the people put in charge of stopping and preventing this are turning a blind eye and it is NOT IT. As usual in these actions will just takes the first major breach or fine to put an end to them.
      • Did we read the same article?

        This article doesn't appear to be about companies that have asked employees to bring their own devices; it's about workers who CHOOSE to do this and CHOOSE to bypass security to get data on their devices which they're not authorized to have on there.
    • "That'll BE their warning."

      "Seriously thought our BYOD policy has clear language of acceptable usage and those violating said policy get a warning, suspension and up to termination."

      Whoa - three strikes to earn termination?

      In Pterry Pratchett's Discworld novel, "Soul Music", the owner of a guitar shop instructs his troll shop assistant in some new rules:

      "...and if anyone tries to play 'Pathway to Paradise', rip their head off."

      "Shouldn't I give 'em a warning?"

      "That'll BE their warning."
    • Fully agree

      Either corp leaders are intellectually challenged, or there will be a host of termination notices in the near future. Employees who independently choose to put the entire company at risk are not doing anyone a favor, and must somehow be educated.
  • I thought ZDnet was a reputable news site?

    Can you proof read your articles before releasing to us mere mortals? Content, not too shabby... However, the spelling is terrible!
  • [channeling Iago the Parrot from Aladdin]

    I am not surprised.

    I am so not surprised I could just moult!
  • Am I the only one...

    to insist my company choose a secure solution or don't do it all? Comparatively, it wasn't that expensive to implement and maintain a secure solution vs. 'going on the cheap.' These work-arounds and pulling something over on IT come down to two things: good, consistent security awareness education and top-down support for security. For some of you that may be a nirvana.
  • Internal Hackers

    We ran into this problem already a few years ago. We referred to them as "Internal Hackers", because that's essentially what they were doing, accessing data without using the approved software to update the data. Links were getting messed up, data was getting out of sync, it was a mess.

    I met up with the head of SQL Server at a Microsoft conference and explained our problem (users that have valid permissions so they could get into the databases through our programs were using those rights to get in without using the programs), and they were kind of stunned, as no one had brought the problem to their attention before.

    We've ended up putting a trigger on our SQL Server, and put the trigger in the connection strings of our authorized software. Now, the users can get in with our programs, but not without.
  • Cosumerization of IT

    This is what happens when we allow the consumer to dictate the needs of what they want in the IT environment. You can't take away the controls of IT and expect that everything is going to be secure.