Along with no knowing they had been breached or having a plan for dealing with problems from personal devices, ITIC and KnowBe4 said, “56% of organizations acknowledge they are not fortifying their existing security measures, taking extra precautions or implementing security training despite recent high-profile security attacks against Fortune 1000 firms like Adobe, Reuters, Target, Skype, Snapchat and others.”

Other survey highlights:

• Thirty-four percent of the participants acknowledged they either “have no way of knowing” or “do not require” end users to inform them of security issues with employee-owned BYOD.
• Three in 10 respondents were unaware or unable to discern whether BYOD security breaches impacted servers, mission critical apps or network operations.
• Thirty-two percent said they either have no BYOD-specific security in place or don't know.

“Individually and collectively, the inability of a significant segment of corporations to track and secure both company and employee-owned BYOD devices undermines IT and security administrators' ability to secure the environment,” the report said.

“It also creates a larger attack vector for hackers. And it makes servers and mission critical applications more vulnerable to infection by rogue code, malware or sensitive data that was hijacked when a BYOD device's security was compromised,” it said.

ITIC and KnowBe4 also found that the IT staff they spoke with were not necessarily happy about it.

“Anecdotal evidence obtained from first-person customer interviews indicates that 75% of IT and security managers are now lobbying executive management to construct BYOD-specific security policies to plug potential vulnerabilities,” the companies said.

Recommendations from the report – titled “2014 State of Corporate Server, Desktop and BYOD Security Trends Survey” – included:

• Conduct regular security audits and vulnerability testing. Include server hardware, server OS, application and network infrastructure to identify vulnerabilities and compare security across platforms.
• Regularly review and update policies and procedures. Corporations should review and update their security policies annually at a minimum or as needed to address emerging technologies and trends like BYOD and mobility.
• Perform due diligence. Become familiar with all specifics of the platform before beginning any new technology deployment (such as server hardware, application software, virtualization and cloud deployments.)
• Ensure compliance. The ability to adhere to compliance standards and meet service-level agreements hinges on server security, reliability and uptime.
• Estimate the cost of downtime. “Being able to affix a monetary cost to a security breach and assess the potential risk and damages that ensue in the wake of a security breach, will make the most cogent and compelling case for strong security mechanisms and security awareness training,” ITIC and KnowBe4 said.