At the 2012 McAfee FOCUS conference in Las Vegas in October, Avecto conducted a survey that revealed some serious concerns IT professionals have about their companies’ privilege control policies. In addition to pointing out the wide disparity that exists between organizations’ future security goals and their existing (and often, lacking) best practices, the survey also shed some light on what the future holds for Bring-Your-Own-Device (BYOD) within the enterprise.
Of the 365 surveyed participants, comprised of IT professionals in attendance at the show, 84 percent held least privilege in high regard, emphasizing an organizational need for better control of user privileges on company machines. The majority of these respondents (45 percent) pointed to malware attack mitigation as the primary reason for establishing better privilege control, followed by 18 percent who attributed this to either combating insider threats (9 percent) or external compliance (9 percent).
While these results are promising for today’s IT security landscape, the survey uncovered a troubling discrepancy between organizational support of, and implementation of, least privilege. True, the majority of respondents recognize the importance of limiting admin rights – yet, nearly 40 percent of respondents reported that more than half their employees are still running devices with elevated rights, and another five percent were unsure how widely privileged accounts are being used within their organizations.
Clearly, least privilege is top of mind for most, but IT will have to make a stronger push to turn mere awareness into reality. Implementing more proactive defense-in-depth security measures, such as privilege management and application control, is the first step in the right direction.
The survey’s findings on BYOD trends reflect a similar dichotomy, where 70 percent of respondents named security as their biggest BYOD concern, yet about 50 percent of those surveyed said their organizations either don’t have a BYOD policy in place (22 percent) or allow employees to use any device (27 percent).
Looking ahead, this disconnect will continue to hamper the BYOD enterprise workforce. Unless polices are put in place to balance security concerns, personal devices will be limited to only a handful of tasks, such as email access. Of course, corporate policies for personally-owned devices are not black and white, and resolving this compromise will not come easily. For some organizations, especially heavily regulated industries, the security concerns around BYOD simply can't be ignored and it may be more applicable to implement a Choose-Your-Own-Device (CYOD) policy, where the organization continues to own these devices and takes responsibility for securing and managing them.
