There has been a lot said about the security risks of Bring Your Own Device (BYOD). Despite this the savings it offers hard pressed IT departments has made it popular. To help companies out, security vendors have rushed to deliver tools to manage smartphones, tablets, laptops and other devices used inside the enterprise.
Centrify survey results show iPhone still dominates business use
According to a recent survey carried out by security vendors Centrify, there is still a big gap when it comes to securing mobile devices. The focus of this particular survey was users of Apple devices although it asked users about all the devices that they used.
The most used smartphone was an iPhone (81%), the most common tablet was Android (61%) while Windows was top when it came to computers (60%). iPad usage was just 7% while Apple computers were 19% of those in use.
Devices more likely to be used at home and work than on the go
A surprise from the survey was that users claimed that they were more likely to use their devices at work (87%) than at home (74%). They also reported that they used their devices least when in hotel rooms (42%)than public areas such as coffee shops and airports (58%). These numbers will surprise a lot of people, especially given that it includes iPads and iPhones which seem to dominate airport business lounges.
What also makes these numbers strange is that for iPhones (76%) and iPads (50%) the devices are owned by the user. When it comes to Apple computers, however, that number drops to just 38% being owned by the user with 57% being owned by the business.
How bad could device security be?
This is where the survey takes a turn for the worse as far as responsible usage is concerned. While 94% of laptop/desktop users has a password or pin that figure dropped to 90% for iPhone users and 86% for iPad users.
With all users claiming to use their devices for access corporate information there is no reason for the desktop/laptops not being secure. With the theft of mobile devices also running at an all time high and iPads/iPhones being highly desirable based on their price, it is a surprise that these are also not secure.
This is not just about users taking advantage of the on device security such as PIN, password or biometrics but also corporate device management. There are numerous security applications out there to enable companies to enforce their password policies across mobile devices. This survey suggests that either companies are not being diligent or that their internal password policies need updating.
The survey addressed the latter by asking about enforcement of company security policies on devices. 42% said that strong passwords including long lengths and special characters were required. 35% said data on devices had to be encrypted so how does that translate in practice?
A deeper look at what is happening around passwords
Looking deeper into the data it becomes clear that even where users are using security on their devices, many are doing the bare minimum. The most common type of password differs by device. For iPhones (50%) and iPads (38%) a pin number is the most common form of protection.
For laptops and desktops it is a combination of letters and numbers (47%). The latter is not surprising. There are many large commercial sites including some banking apps that restrict users to just letters and numbers. When it comes to more complex passwords such as using alphanumeric and special characters, just 20% of all devices are secured this way.
Given the response to the complexity of passwords given above it is clear that there is a significant air gap between the perception of how corporate policy is enforced and the actual implementation. This is something that should be addressed urgently.
The majority of users were keen to say that the password they use on their devices is unique and not used elsewhere. If true then this is a big step forward and it seems that the message about reuse is finally getting across.
Apple has made much of its use of the fingerprint to help secure its later generation iPhones and iPads. Despite this only 19% of iPad and 28% of iPhone users take advantage of this. It could be that the majority of users in the survey were using older devices but the last two generations of iPhones and iPads have both supported fingerprints.
Password sharing on devices is rampant. Only 38% of laptops/desktop users, 39% of iPad users and 48% of iPhone users claimed that they were the only one who knows their passwords. Family members include spouse and children were the most likely to know a users password.
Shockingly 37% of laptop/desktop users, 35% of iPad users and 17% of iPhone users admitted that their IT department had their passwords. It’s hard to see why any member of an IT department would need a users device password except in exceptional circumstances. Handing out passwords to an entire department is only barely better than having no password at all.
It’s all in the mind
The last part of this survey looked at how users remember passwords. Very few people are good at retaining multiple complex passwords in their heads. Despite this 44% of those surveyed said that is exactly what they do. This bucks the trend and suggests that there is a risk that they are reusing passwords in order to be able to remember them.
Only 16% of people have access to a company supplied password management solution with 28% choosing to buy their own. When it comes to the “write it down approach”: spreadsheet (17%) and paper (17%) were more common than the corporate password management option. This suggests that companies really need to be investing in the right products to help support their staff, especially mobile users with multiple devices.
It would be easy to say that this report delivers no surprises at all and just reinforces what most security professionals believe when it comes to device security. However, it also highlights a lot of corporate failing both in enforcing policies and providing users with adequate tools.