Bring your own device (BYOD) trend heightens security risks

With the development of faster Internet service, and the skyrocketing use of smartphones, the number of Africans shopping online has dramatically increased in recent years.

According to the “2011 Shopping on the Job Survey: Online Holiday Shopping and BYOD Security”, conducted by global information technology association ISACA, 50% of the 318 IT professionals surveyed in Africa believe employees will increase their online holiday shopping during work hours this year, posing increased risk to the enterprise.

The “2011 ISACA Shopping on the Job Survey: Online Holiday Shopping and BYOD Security” found that online shoppers plan to spend 32 hours on average shopping online this holiday season, with 18 of those hours on a work-supplied device or a personally-owned device also used for work activities - a trend called 'BYOD' (bring your own device). People are also becoming increasingly tech-savvy: the use of mobile applications has nearly tripled since last year's survey, 29% click on daily deal sites such as Groupon, and 7% scan quick response (QR) codes.

ISACA, a non-profit, professional association of 95 000 IT audit, security and governance professionals, also conducted a separate survey of more than 4 700 of its members from 84 countries. The member survey results show that these IT professionals believe their organisations are increasingly challenged to deal with BYOD. In every region except Europe, more respondents say employees are allowed to use personal devices for work purposes, but members in five of the six regions say the risk of using a personal mobile device for work purposes still outweighs the benefits.

Use of personally-owned PCs or mobile devices - typically more difficult to secure than work-issued devices and used for a wide range of often high-risk online activities - means sensitive corporate information may be compromised through device theft or loss, or malware attacks.

“The consumer survey shows that two-thirds of employees between the ages of 18 and 34 have a personal device they use for work purposes. BYOD is here to stay. However, the fact that the majority of ISACA members say the risk outweighs the benefits means that education and precautions are strongly needed,” said Robert Stroud, CGEIT, CRISC, past international vice-president of ISACA and vice-president and service management, cloud computing and governance evangelist at CA Technologies.

While close to four in 10 consumers surveyed use PayPal or a similar secured service to protect their online transactions, they are concerned about newer features, like their mobile devices' ability to track their location. Fully 74% say they would turn off user location tracking because of risks such as stalking or identity theft, and 9% would keep it on only because they don't know how to turn it off. Coupled with this lack of knowledge and concern are risky online behaviours. A third of consumers (34%) have clicked on a link in a social media site (up from 19% in 2010), and more than one in 10 (13%) click on e-mail links from someone they do not know.

“For the fourth year in a row, ISACA's online holiday shopping survey shows that employees are unwittingly risking the introduction of viruses, malware and phishing scams into the workplace. What is new this holiday season is the growing role of BYOD, which demands that organisations [will] be more focused than ever on embracing emerging technology and the benefits it brings, and educating employees about safe practices,” said Ken Vander Wal, CISA, CPA, international president of ISACA.

The consumer survey shows that 16% of respondents say their organisation does not have a policy prohibiting or limiting personal activities on work devices, and another 20% do not know if their enterprise has one.

“There is a distinct gap between what IT departments may do, and what employees understand or know about,” said John Pironti, CISA, CISM, CGEIT, CRISC, CISSP, security advisor with ISACA and president of IP Architects. “For example, many employees do not realise that, as part of the process of connecting their personal device to the organisation's corporate network, they may have agreed to allow their personal smartphone or tablet to be remotely or locally wiped clean if they lose it or the organisation believes it has become compromised while storing confidential data. Setting a policy for the use of personal smart devices and effectively communicating it to employees are crucial.”

ISACA offers these tips to help employees manage their personal smartphones, tablets or notebooks that they also use for work activities:

* Make sure you understand the policies, standards and guidelines that you agree to comply with when connecting a personal device to your corporate network.
* Understand what happens if your organisation believes your device is lost, stolen or represents a security risk.
* Follow ISACA's five-step 'ROUTE' for informed use of geolocation.
* Make sure you have enabled all of the security features on your device, including file and network encryption, pass codes, and device locator capabilities.
* Ensure that your devices are current with the latest operating system and application updates on a regular basis.

The majority of IT professionals in Africa consider using a work-supplied device to click on an e-mail link to access a shopping site (62%), access a social networking site (50%), use mobile shopping applications (47%), and download personal files or music (64%) to be high-risk activities. And, while 66% of respondents say their enterprises have technology in place to protect against Web-based attacks, and 46% say their enterprises restrict employees' use of IT assets and time for personal purposes due to security concerns, many (40%) are still allowing the use of work-supplied devices for personal use and online shopping. However, several enterprises appear to draw the line when it comes to accessing social networking or daily deal sites from a work-supplied device (73% limit or prohibit this activity).

While the use of applications with geolocation capabilities is increasing worldwide, 53% of African respondents say their enterprises do not provide guidance on security issues regarding the use of geolocation services on smartphones and other devices. Many geolocation features can be advantageous, but employees need to be educated on when and how to enable them, and when to turn them off. ISACA's five-step ROUTE provides guidance for employees to minimise geolocation risk:

* Read mobile app agreements to see what information you are sharing.
* Only enable geolocation when the benefits outweigh the risk.
* Understand that others can track your current and past locations.
* Think before posting tagged photos to social media sites.
* Embrace the technology, and educate yourself and others.

“In Africa, as in the rest of the world, the line between work and personal mobile devices is blurring. Along with this risky overlap are the added elements of geolocation applications and increased use of electronic payment options,” said Brian Barnier, CGEIT, CRISC, member of ISACA's Risk IT framework development team. “Enterprises must deeply understand technology-related risk to the business. For example, mobile money transfers can benefit rural areas and widely open a door to fraud.”

The complete survey results are available at www.isaca.org/online-shopping-risk.