Employees continue to use risky apps on mobile devices

Risky applications and business applications are being used side-by-side on devices owned by employees that are used for work, according to a survey by the SANS Institute.

Nearly 80% of the 600 survey respondents who completed the substantive sections of the survey allowed communications and collaborative apps on personal mobile devices, nearly 60% of which also have general Internet apps (such as web browsing and media file sharing), while another 44% allow VPN access from BYOD and 26% allow access directly to business systems.

Four percent of the respondents answered that personal mobile devices are also accessing control system applications, while another 8 percent are allowing access to field service applications.

“Personal mobile device access to critical business and infrastructure systems should raise huge red flags to organizations thinking that their only concern will be e-mail on employee-owned smartphones, pads and tablets,” says Deb Radcliff , chief of the SANS Analyst Program, which developed the report. “Meanwhile, the means to protect access, applications and data are more difficult to develop and unify in mobile BYOD computing.”

For example, providing a unified identity management framework was both the least practiced and the most difficult to achieve, according to respondents. They are also trying to discern which tools and techniques make the best sense in protecting their networks and data from BYOD risks.

Securing devices and the mobile platforms was the top method of protection being implemented by 66% of respondents, with application lifecycle management being practiced by only 36% of organizations.

“Mobile application development seems to be repeating many of the mistakes from the past,” says Kevin Johnson , SANS Analyst and author of the report. “And these weaknesses need to be resolved due to the sensitive nature of the data on the devices.”

Of those 253 survey takers that also develop applications, the majority are web-based, with 32% of developers saying they also developed line of business applications. The good news that nearly 60% of them indicated they had application security lifecycle processes embedded in their development and testing cycles.

“The prominent use of mobile devices together with cloud computing have even greater potential to expose critical information than in the past,” adds Barbara Filkins , SANS Analyst consulting on this survey. “Mobile application development can no longer afford to ignore security best practices.”

Don't miss