BYOD - or Bring Your Own Device policies - is a double-edge sword. It can drive employee satisfaction, giving workers access to their device of choice. But it also presents chief securuity officers with a potential security nightmare that may closely reflect reality. Statistics reveal that more than half (53 percent) of companies have no BYOD policies in place, according to a recent survey by solution provider Champion Solutions Group.

“There is no way the dream of BYOD should ever turn into a nightmare for companies,” said Chris Pyle, president of Champion, a Boca Raton, Fla.-based solution provider.

Pyle said the study, conducted by Champion’s Message Ops business unit, surveyed 447 IT decision-makers including solution providers across a variety of industries. “This is one of the first-ever real glimpses into what other companies are actually doing when it comes to BYOD,” he said.   

The survey, titled Real-World Mobile Device Security Practices, revealed that only 47 percent of organizations have formal BYOD policies. That leaves a majority of C-suite executives and their employees exposed to not just big business risks but also potential privacy leaks and compliance liability issues, he said.

(You can read the full report here, after submitting your email address).

The study concludes that a half-baked or no BYOD policy can force a company to make costly infrastructure investments and create unwieldy management policies. At risk, the study reports, is data security, operational integrity and regulatory compliance.

“There is no excuse not to have a BYOD policy in place,” Pyle said. For solution providers, he said, this creates new opportunities to beef up service offerings delivering mobile device management services. “I don’t care if the solution comes from VMware, Microsoft or IBM,” Pyle said. “Mobile devices are only becoming more ubiquitous, creating a bigger opportunity every day for partners,” he said.

The Champion study focused on only the most fundamental mobile device management protections: the password. According the survey, nearly a quarter of the 47 percent of companies with BYOD policies leave devices open to brute-force password attacks because they lack policies to lock out devices after multiple failed log-in attempts. It also found only 20 percent of companies require multifactor authentication for device access.

Those are troubling statistics, Pyle said, especially when considering that the Champion study surveyed organizations in security-minded sectors, including manufacturing, health care, IT and financial services. Pyle said that while there is consensus that more stringent security policies and procedures are needed, there is a lack of agreement on what they should be.

Pyle said the survey is trying to create a baseline for companies to work from when it comes to comparing their own BYOD policies to their peers. “This survey offers true peer review for BYOD policies,” Pyle said. “Now you can see how you compare to other companies in my industry the same size,” he said.

Key mobile password policy takeaways include:

* When it comes to password policies, most organizations favor complex alphanumeric passwords of six to 10 characters.

* More than three-quarters (77 percent) of those polled have policies to lock out devices after multiple failed log-in attempts, usually between three and five tries.

* Around 72 percent of organizations require re-authentication of mobile devices after periods of inactivity, with most opting for lockout after five to 15 minutes.

* The vast majority of those polled have provisions in place for expiring passwords and prohibiting re-use of old passwords.