A new report today from phishing protection company SlashNext Inc. finds that a majority of employees have sensitive work information on personal devices as “bring your own device” behavior continues to surge in popularity.

The 2023 Mobile BYOD Intelligence Report surveyed individuals about the use of personal devices for work-related tasks, how employers balance corporate security and employee privacy amid the rise of BYOD and the resulting cybersecurity gaps. At the top of the findings was that 71% of employees store sensitive work information on their personal phones.

The study found that 90% of security leaders say protecting employees’ personal devices is a top priority, but only 63% say they have the tools to do it adequately. Additionally, 43% of employees were found to have been the target of a work-related phishing attack on their devices. Some 95% of security leaders said that phishing attacks via private messaging apps are an increasing concern.

For employees, two-thirds were found to use their personal texting apps for work, while 85% of employers require work-related apps to be installed on employees’ personal devices. Nearly 90% of information technology and security leaders acknowledge legal concerns about having access to employees’ private data.

In perhaps a logical outcome, 81% of employers say the solution for employee mobile data security and privacy is to give employees a separate phone just for work. However, it’s noted that doing so would effectively double the attack surface for threat actors.

“With the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information,” said SlashNext Chief Executive Patrick Harr.

Harr noted that in 2022, the use of personal devices and personal apps was the direct cause of many high-profile corporate breaches and the trend will surely continue. “Threat actors know there are fewer security controls on personal mobile devices, and they have increased efforts to compromise these devices and access valuable corporate data,” Harr warned.

Discussing the report ahead of its release, Bud Broomhead, CEO of enterprise internet of things security platform provider Viakoo Inc., told SiliconANGLE that one of the issues had been the switch to remote working.

“Without a doubt, enterprise cyber risk is higher with many employees continuing to work from home; the network is not typically under the control of corporate IT and the protection that corporate IT can provide,” Broomhead said. “The good news is this is not an unfamiliar situation. Enterprise IoT devices typically operate on networks not managed by corporate IT and the best practices from IoT security directly apply in work-from-home situations.”

Sounil Yu, chief information security officer at cyber asset management and governance solutions provider JupiterOne Inc., said there should be less concern for the data on mobile devices and more concern for what data the phone unlocks.

“Attackers understand that mobile devices have become essential in supporting two-factor authentication that guards access to troves of data,” Yu added. “As such, they are frequently targeted through SMS hijacking and enticing malicious apps. To better protect the data that your mobile device unlocks, you should avoid using SMS or phone calls as your second factor and use authenticator apps instead.”

Image: SlashNext