A fascinating survey sponsored by GFI Software has thrown a pretty large spotlight onto a major security issue that connects directly with the on-going debates about BYOD and security. It also begs fundamental questions over how BYOD should be managed – though no doubt some would suggest the evidence of the survey indicates it should not be attempted at all.
And that evidence? The survey looked at the use UK office workers make of smartphones and tablets working with public Wi-Fi services, while commuting to and from work. This shows that commuters regularly connect to free, unsecure Wi-Fi services during their daily journey, putting personal and company data at risk every week.
The survey, carried out by Opinion Matters, covered how 1,001 UK office workers used their tablet or smartphone when traveling to and from work on a train, bus or tube. It has shown that not only are these commuters regularly using mobile devices and public data services in the cloud as their primary activity, but also that they - and their employers - are falling foul of data security issues, as well as heightened risk of physical crime.
Every one of the survey respondents acknowledged that they used open, public Wi-Fi connections at least once a week to carry out work-related tasks such as sending and receiving email, reviewing and editing documents and logging into other company servers and storage repositories. On average, users connected to public Wi-Fi services to do work and access work systems 15 times a week, putting company data and passwords at risk from packet sniffing and other forms of traffic interception.
This evidence of what is now obviously considered common practice by the user community raises that important question: if this is what they are doing, would it not be better to ensure that the actual data and processing functions are held and conducted in a far more secure environment? Basically, if this is the common practice, have the tablet or smartphone connect as a thin client to a server-based environment.
Such a model would seem to provide a much greater level of intrinsic defence against cyber-attack than current approaches can currently provide, especially if the common practice is to use the most handy public, and often free, Wi-Fi service that a commuter comes across. For some rail journeys, for example, that could mean using two or three different services during the course of a journey, with the additional issues of broken transmissions and, as a consequence, disrupted communications and transactions.
GFI’s own answer to the problem is the latest version of its patch management,vulnerability assessment and network auditing software, GFI LanGuard. The new 2014 edition features vulnerability assessment for mobile devices, including tablets and smartphones, running the mobile operating systems iOS, Android and Windows Mobile, as well as support for Linux and more than 20 additional third-party patches. GFI is targeting LanGuard at the small to mid-sized business community, and aims to provide network and system administrators with the ability to manage all of their patching and vulnerability assessment needs through a single, intuitive and easy-to-use interface. The system offers agent-less vulnerability assessment for all smartphones and tablets that connect to Microsoft Exchange servers.
The level of security available with use of public Wi-Fi is, as GFI Software CEO, Walter Scott, points out, a serious potential danger, particularly to smaller businesses with limited resources for managing such tasks as vulnerability testing.
“The research findings reveal a stark and concerning trend among commuters – one of using their personal devices to catch up on work during their commuting downtime, but doing so over highly insecure internet connections that can be easily intercepted by other users or the operator of the access point,” he said. “Mobile internet access is now firmly entrenched as a day-to-day norm, but with that has come an increasingly relaxed user attitude to data security, compliance and data governance policy. Companies need to address mobile device management to ensure that use in insecure environments doesn’t create vulnerabilities that could be exploited by criminals – both cyber and conventional.”
Some of the key findings form the survey include the fact that 46 percent of the respondents use Wi-Fi as their primary means to access the internet on their mobile device, more than the 43 percent who rely on 3G data services. Just over 30 percent connected to public, untrusted Wi-Fi services to access confidential work data at least once a week, with the overall average being 15 times a week.
Half of them said they become frustrated if no free public Wi-Fi is available, which not only shows how Wi-Fi is now seen as a necessary part of daily life, but also a lack of understanding about basic business, by not pondering the question of how such services generate revenue to sustain themselves.
Just over half, 57 percent, are concerned about being robbed if they use their smartphone or tablet in public locations such as train stations, bus stops or while walking to and from work, while 52 percent are concerned about data being intercepted when using public Wi-Fi. Despite that, they continue to use the service, which perhaps indicates that the pressure from employers for them to complete tasks out-weighs a perceivable security risk in the employee’s mind. If that is the case, it is a factor for employers to consider about their own operations and policies.
Perhaps the most startling finding is that, despite the risks, 20 percent of mobile devices have no security enabled, not even a password or PIN number, while only 5 percent have corporate security policies enforced on their devices.
All of these security issues are being exacerbated by last year’s launch of public Wi-Fi services on most Tube stations platforms and ticket halls. This has already proved to be a popular and well-used service, with 84 percent of Londoners surveyed confirming that they openly use their mobile device on public transport, with 37 percent using free public Wi-Fi available at stations.
The survey also showed that the increased commuter use of smartphones and tablets is pushing more companies to adopt BYOD policies, or at least allow BYOD practices, but this often without the business having the infrastructure in place to manage a sudden upsurge in different client device types. What makes it worse is that 36 percent of the respondents admitted to using mobile devices to circumvent existing network security policies.
Getting on top of the security issues surrounding BYOD is, therefore, becoming a crucial issue, particularly as the survey showed 100 percent of respondents use their mobile device for work and personal activities while connected to the company network.