AuditNet Survey f Bring yur wn Device (BYOD) - Cntrl, Risk and Audit The pace f technlgy mves much faster than managers and auditrs can understand and react, with updated plicies, prcedures and cntrls. Nt t lng ag wrkplace technlgy was simple. Cmpanies purchased and issued technlgy devices which emplyees accepted. The expectatin was that emplyees wuld keep business and persnal cmputing separate. With the change in technlgy we have witnessed a tsunami f technlgy enabled devices. The use f mbile devices by emplyees is clearly a trend that has ccurred in all businesses and rganizatins. The availability f this technlgy has blurred the lines f business vs persnal cnnectivity. Technlgy hungry prfessinals are quick t purchase the newest mbile phnes and devices the instant they are released. The rapid advance f technlgy and its applicatin in business is cnstantly evlving thereby frcing rganizatins t adapt befre cnsidering all the business risks and benefits. The risks assciated with the use f Mbile Cmputing t an rganizatin cntinues t grw as mre and mre emplyees use mbile devices in their daily wrk activities. As a result internal auditrs are nw n the frntline bth in understanding the technlgy as well as assessing the risks and auditing BYOD and mbile device plicy and usage. This survey seeks t build n existing surveys and research by reaching ut t the glbal audit cmmunity n the risk, cntrl and audit f BYOD (mbile device) plicies and usage. Executive Summary Despite all the literature and infrmatin available n the risks assciated with mbile devices and the BYOD explsin, the survey shws that this area is nt a high pririty fr internal auditrs. Internal audit and management risk tlerance fr this area appears t be quite high therefre senir management and bard have nt elevated the threat level fr BYOD and MDM. The pace at which BYOD has expanded int the wrkplace has clearly bypassed senir management and the bard which means that auditrs have nt
incrprated this area int wrk plans. At this pint the primary fcus fr internal audit may be educating senir staff, the Bard and Audit Cmmittee f the risks assciated and a call t actin n plicy, security t ensure that the risk is addressed and that the prper cntrls are put int place t prtect their rganizatins. Survey Key Issues Clse t 3/4 f thse wh respnded indicated that their emplyer allwed emplyees t bring their wn devices t wrk. The primary BYOD service allwed by cmpanies and rganizatin as reprted by survey respndents was e-mail fllwed by applicatin access via a Virtual Private Netwrk (VPN). Almst half the rganizatins allwed access t scial media. Clse t 80% said that their emplyer prvides cmpany wned mbile devices t emplyees while mre than half said that they did nt have a plicy fr mbile devices (cmmnly referred t as bring yur wn device r BYOD Mre than half that said their emplyer had a plicy indicated that it was nt well cmmunicated t staff. Almst tw thirds f thse wh said their emplyer had a plicy felt that it was nt thrugh r lacked the basic best practice elements Slightly mre than half required emplyees t sign a written agreement that utlines emplyer and emplyee rights and bligatins with respect t the devices and a cde f cnduct. Greatest cncern expressed by the auditrs was cnfidentiality f infrmatin fllwed by data breach r misuse Mre than 80% f the auditrs indicated that: a risk evaluatin cvering mbile devices has nt been perfrmed a training r awareness prgram cvering BYOD risks r cntrl has been cnducted they have nt audited this area they have nt included this area in their current r future audit plans Survey Cmments and Observatins The 2014 AuditNet Survey f BYOD Cntrl, Risk and Audit was circulated t the AuditNet cmmunity, LinkedIn grups, Twitter and ur extended netwrk f audit and cmpliance prfessinals. Mre than 300 auditrs respnded t the survey frm 8 different industry sectrs. Over 1/3 f the respnses were frm rganizatins with less than 1,000 emplyees and 40% frm between 1,000 and 10,000 emplyees. Almst 70% f the respndents wrked in audit departments with less than 10 staff. Clse t 3/4 f thse wh respnded indicated that their cmpanies allwed emplyees t bring their wn devices t wrk. Email was the mst widely accepted applicatin (95%) allwed by cmpany plicy. This is hardly surprising as email was the first Internet applicatin that received wide spread acceptance by bth emplyees and cmpanies. What has changed is that email is nw widely available frm mbile devices as well as frm ffice cmputers
When asked whether the rganizatin prvided cmpany wned mbile devices t emplyees mre than 75% respnded affirmatively. The caveat t this respnse is that we did nt ask fr a breakdwn fr the type f mbile device which means the majrity culd be mbile phnes. The next questin hwever reveals that while mbile devices are widely distributed acrss rganizatins the existence f a frmal plicy lags behind. Frty fur percent indicated that their rganizatin has a BYOD plicy. One f the standard best practices fr BYOD and MDM is the existence f a written rganizatinal/cmpany plicy. Even amng thse wh reprted a written plicy less than half indicated that emplyees are made aware f the plicy. On the psitive side mre than half reprted that their cmpany/rganizatin requires emplyees t sign a written agreement utlining emplyer/emplyee rights and bligatins with respect t mbile devices and a cde f cnduct. A signed agreement is a strng cntrl shuld the emplyee vilate the cmpany BYOD/MDM plicy. The primary areas cvered by the survey fr the plicy were access, acceptable usage and email with less cverage fr cnfiguratin, stred data, malware prtectin, applicatins, guest netwrking and SMS. Access, acceptable usage and email plicy fr mbile devices are the mst cmmn and easily added t plicy while the ther areas require mre technical expertise than mst rganizatins are willing t allcate time, effrt and resurces.
Reimbursement fr Mbil Devices On the issue f reimbursement fr mbile device 23% f the respndents indicated that their rganizatin had a plicy fr reimbursing csts assciated with mbile devices. Despite the lack f a reimbursement plicy alng with the high percentage f mbile devices prvided by emplyers (80%) it appears that emplyers are cvering the csts even withut a plicy. Hwever the reimbursement issue des nt delve int the details regarding they type f mbile devices s the lw respnse may indicate that while a frmal plicy may nt exist emplyers may still be cvering expenses fr mbile devices. These expenses culd include data plans, calling plans, messaging services and ther mbile applicatins. Mbile Device Tracking When Mre than half reprted that their rganizatin des nt maintain a list f supprted devices. The questin then becmes whether they maintain an inventry f devices and if they d nt then hw d they safeguard and cntrl the maintenance csts? Furthermre f thse that d maintain a list f supprted devices mre than 70% d nt prvide their emplyees with the list. S again hw d the emplyees knw whether they have a supprted device? Strength f Mbile Device Plicy As t the questin f hw strng their cmpany plicy is in relatin t mbile devices, mre than 60% indicated that they felt their cmpany s mbile device plicy was either nt thrugh r lacked cverage f the basics. A frmal written plicy utlines general rules abut device use, including the rights f bth emplyer and emplyees. The key is t balance prtecting cmpany interests with respecting wrkers' privacy rights and allwing fr cntinued persnal use f the device.the fllwing best practices utline the elements f a mbile device plicy as fllws: Vluntary r mandatry? Scpe. Wh is included in the plicy? Supprted devices. The BYOD prgram shuld specify the devices supprted and any limitatins (e.g., prhibiting an emplyee t "jailbreak" a smartphne that stres emplyer data). The minimum system requirements and cnfiguratins als shuld be addressed. Security requirements. As nted abve, individuals tend t take fewer steps t secure mbile devices than d businesses. The security f emplyer-prvided data n persnal devices may be imprved smewhat with advances in technlgy, such as the new iphne fingerprint scanner, but security risks will never be eliminated. Accrdingly, emplyers shuld cnsider deplying mbile device management (MDM) tls t imprve security, including requirements such as: Users must register their device with the MDM tl as a cnditin f access.
Users must use strng passwrds n the device. Encryptin fr all data sent utside the crprate firewall. Affirmatively blck access t "blacklisted" sites r applicatins. Enable remte wiping t the extent permitted by law. Cnsent t emplyer access. As a cnditin f enrllment in a BYOD prgram, emplyees shuld affirmatively cnsent and waive the emplyer's access, review and cllectin f data n the persnal device. The cnsent shuld be simply and clearly written and be brad enugh t cver all ptential needs f the business (e.g., t cmply with a curt rder; t assist an internal investigatin; t prvide technical supprt; etc.). Imprtantly, emplyees shuld be advised nt t expect privacy even in purely persnal infrmatin. If cnsent is given in mre than ne manner (e.g., a handbk acknwledgment; an electrnic signature during the MDM installatin prcess), ensure that the language is cnsistent. When asked what whether their plicy cvered sme f thse best practices the respnses are summarized in the fllwing chart. Respnses f n r I dn t knw represent weak r nn- existent BYOD plicy issues. Cmpanies must make sure that their plicies cver the basic elements. These represent areas f high pririty fr internal audit t address in reviewing existing plicies r presenting t management a best practice mdel fr cnsideratin. Mbile device security is a high pririty issue fr management as well as auditrs. The majrity f respndents reprted that anti-malware and firewall plicies are in place. The remaining security plicies were nt in place based n the majrity f thse surveyed. Less than ne furth f thse wh tk the survey reprted that their cmpany had nt perfrmed a risk assessment f mbile device usage. Widespread use f mbile devices and their accmpanying security risks represents a sign that auditrs shuld nt ignre. Even mre cncerting is the fact that ne/third f thse taking the survey did nt knw if a risk assessment was perfrmed. Audit shuld be part f the risk assessment prcess and if they were then perhaps a mre accurate respnse wuld have resulted fr this questin. Training and awareness represent key elements f an effective BYOD and MDM prgram. Letting emplyees knw what is expected f them, as far as maintaining the security f their persnal mbile devices, desn t always mean they understand. Cnducting training and awareness prgrams fr device privacy and security can help drive certain pints and reinfrce the BYOD plicy established by yur rganizatin. This is an area that auditrs shuld lk fr when perfrming a review f BYOD and MDM. The greatest cncern based n the survey participants was cnfidentiality f infrmatin fllwed by data breach r misuse. Data lss, adverse publicity and integrity f data were the least cncern areas fr thse respnding. There areas hwever relate directly t reputatin management and we wuld expect auditrs t be highly cncerned. Cnfidentiality f infrmatin is imprtant and perhaps because f press cverage f these lapses directly relates t their level f cncerns by thse taking the survey.
Given the fact that BYOD in firmly embedded in crprate culture and high likelihd f a risk expsure ccuring yu wuld think that audit departments wuld have wrked n acquiring the necessary skills t audit this area. Yet apprximately 55% indicated that their department is lacking the skills t audit BYOD. That leads int the respnses t the next several survey questins pertaining t perfrming risk assessments and/r audits f BYOD. The majrity f thse cmpleting the survey has nt perfrmed a risk assessment fr this area nr have they included BYOD in their current r shrt range audit plans. The failure t cnsider this high visibility, high likelihd, high threat expsure event as part f an verall enterprise wide risk assessment and nt include in this area in bth the shrt and lng term audit is bth shrt sighted and ill advised. Internal audit must begin assessing the risk and including audits f BYOD and MDM starting with plicy and then mving n t device management, cntrl and security. If this area has been a fcus fr senir management and r the audit cmmittee, it has nt been cmmunicated t internal audit as BYOD is under cnsideratin by nly 40% f the cmpanies accrding t the survey respnses. Internal audit must bring this area t the attentin f bth senir management, the audit cmmittee and the Bard. By raising the threat level and expsure shuld impact tne at the tp and raise the pririty fr bth risk assessment and audit planning. When asked whether internal audit was evaluating MDM t determine adequacy t prtect prprietary and sensitive infrmatin r BYOD practices t ensure cmpliance with privacy and data security standareds the majrity f thse respnding t the survey indicated they these areas were nt under review. If these areas are nt being reviewed there is an increased risk f expsure t areas that audit identified as critical i.e. privacy and security f sensitive infrmatin and data security. The survey clearly demnstrates that the trend n bring yur wn devices r BYOD is firmly entrenched in rganizatins based n the respnses. Mbile device management (MDM) and plicy issues hwever are nt keeping pace with rganizatin implementatin and emplyee usage f these devices. Hwever the trend that is mst revealing is that many rganizatins are clearly nt addressing the risks that usage f these devices pse and auditrs have nt built these factrs int current r planned audit cverage. Based n the (1) vlume f mbile device usage; (2) risks that use f these devices represents; (3)likelihd f a risk event and the ptential impact means that management and audit shuld be paying mre attentin and resurces t BYOD and MDM. Jim Kaplan, CIA, CFE AuditNet Funder
The summary, detailed results including charts/graphs are available nline by clicking here!