Some 14,000 mobile devices belonging to the US Military Academy and the US Army Corps of Engineers were found lacking proper security policies.
The devices, used by Army personnel and civilians, were given access to sensitive and critical military networks and data. The IG report found that no management software was installed on any of the devices, and that no remote wipe function was added in case they were lost or stolen.
Posing serious security risks, the IG reports that sensitive networks may have been extremely vulnerable due to the security gap. Concluding that companies and institutions should impose stricter BYOD (Bring-Your-Own-Device) policies, the IG report places a high risk factor on improperly authenticated and monitored handhelds that access critical systems.
â€œIn addition, the Army CIO inappropriately concluded that CMDs were not connecting to Army networks and storing sensitive information,” the report said. “As a result, critical information assurance controls were not appropriately applied, which left the Army networks more vulnerable to cyber-security attacks and leakage of sensitive data.”
Improper BYOD policies can cause serious damage, and strict rules regarding devices and access need to be set up, said Shawn McCarthy, research director for IDC Government Insights. Saying the security gap will be address and proper steps will be taken within 12 months, the Army’s CIO said all devices will meet the new recommendations.
“BYOD can’t be the Wild West where everybody can bring every device,” said U.S. Department of Defense spokesperson Air Force Lt. Col. Damien Pickart. “Certain rules have to be set and the act of setting those rules can exclude some devices.”
The IG report also says users need to be more aware of security risk personal devices may pose if used for both personal and work purposes.