For 56% Cos, BYOD Risk Outweighs The Benefit

ISACA, a nonprofit global association of more than 100,000 IT audit, security, risk and governance professionals, has released findings from its 2012 IT Risk/Reward Barometer survey. The annual survey unveils interesting findings on Indian enterprises’ acceptance of “bring your own device” (BYOD) for its employees and usage of work-supplied devices within a global scenario.

Controls On Personal Devices

IT professionals in India continue to remain resistant to the BYOD trend. In fact, more than half (56 percent) reported that the risk outweighs the benefit. The survey also highlighted that India stood first among its global counterparts in prohibiting BYOD, with nearly half (46 percent) of Indian enterprises successfully deploying a BYOD policy to prohibit the use of personal mobile devices for work to mitigate the risk to the enterprise. This trend was followed by Europe (39 percent), China (30 percent) and US (29 percent).

Regarding security controls for employees’ personal devices, nearly half (47 percent) of Indian enterprises reported deploying password management controls as a security layer, compared to China and Europe (44 percent) and US (42 percent). India registered lower interest on remote wipe capability (29 percent), which allows employers to erase the contents of an employee’s personal device as a security measure, compared to US (46 percent), China (39 percent) and Europe (37 percent).

Commenting on the survey findings, Avinash Kadam, CISA, CISM, CBCP, CISSP, GCIH, GSEC, PMP, ISACA India Task Force advisor, said, “The survey results are an eye opener and present an interesting dichotomy from the governance of IT perspective of Indian enterprises compared to its global counterparts. It is always a challenge to retrieve an enterprise’s data when an employee who uses a personal device for work purpose leaves the company. It is imperative to structure a clear policy for BYOD.”

ISACA recommends an embrace-and-educate approach: embrace the technology and the value it brings, while ensuring ongoing and proactive education and training on security policies and risks.

ISACA recently published Securing Mobile Devices With COBIT 5 to help enterprises deal with this challenging issue. By applying COBIT to mobile device security, enterprises can establish a uniform management framework and that helps them plan, implement and maintain comprehensive security for mobile devices. COBIT also provides guidance on how to embed security for mobile devices in corporate governance, risk management and compliance strategy, using COBIT 5 as the overarching framework for GRC.

Controls On Work Devices

The survey also unveiled some interesting trends regarding company policies about personal use of work devices. It was observed that 58 percent of Indian respondents say their enterprises prohibit access to social networking sites from a work-supplied device. This was registered as highest when compared with China (33 percent), Europe (30 percent) and US (32 percent).

Additionally, 45 percent of Indian respondents reported that their enterprise prohibits its employees from shopping online using work-supplied devices, whereas enterprises in Europe (21 percent), US (20 percent) and China (19 percent) are more permissive.

Non-involvement of business heads and budget constraints are the greatest hurdles for Indian IT companies for addressing IT related business risk.

The survey highlights that 33 percent of the respondents felt that the business heads are not fully engaging in risk management and 21 percent said that the budget limits remain an issue to effectively addressing risk. At the same time, 39 percent of the Indian respondents felt that the situation can be improved by increasing risk awareness among employees.

“The survey highlights that there is need for enterprises to educate and create awareness about IT risk, as a third of the respondents felt that the business heads are not fully engaging in risk management, ” Kadam said.