By John Thielens, Chief Security Officer, Axway
The consumerisation of IT has been on the horizon for a while now, but with the explosion of more and more sophisticated consumer devices at reasonable price-points it is becoming an increasingly important issue for any CIO to address or face data breaches from all sides.
Consumer gadgets are increasingly appearing in the workplace with the expectation that employees will use them to enhance their productivity and some businesses are even helping to fund this trend with bring your own device (BYOD) schemes. Consumerisation is here to stay and brings with it a whole raft of new security and data management problems.
Firstly there is the age old problem of lost or stolen devices. From the laptop left on a train to the smartphone lost in a pub, the legal ramifications of this data being lost can be huge with threats of huge fines from data protection breaches – not to mention the sensitive commercial information that could be harvested. This is why many organisations invest in remote wiping utilities, to ensure that the potential damage caused by missing gadgets is minimised. A good thing no doubt but the second, and I think under discussed, issue comes from moving data from A to B.
There are several ways of transferring data to a mobile device: docking directly with a computer, transfer within a secure network (via Wi-Fi or Bluetooth connection for instance), over mobile networks and over email. It is email which presents the biggest problem.
Email is an inherently insecure platform for communicating. There are ways of protecting email systems by having security policies in place which dictate which files can be sent to who, but humans are a resourceful bunch and often easy to dupe. Who is to say that the Wi-Fi connection they have jumped on in the café is legitimate or secure? And how are you going to stop them from using web-based email platforms, such as Hotmail and Gmail, for moving data? Can you be sure they are not uploading files to consumer cloud platforms? These are the questions that need to be addressed to maintain data security on a mobile device.
A combination of software and education has to be the only adequate solution. Your employees need to have the right tools for the job, no matter what kind of machine they are using. Secure email clients with secure file transfer applications are a must – but can be undermined if staff fail to understand the importance of making use of those rather than personal emails. You only have to look at the recent data breach in Cheshire East, where a data breach was caused by a council employee with the best intentions sending sensitive information outside of the secure network. This brought the council official censure and a fine of £80,000. The employee in question stated that she did not have the adequate tools for the job and lacked an appropriate council email address!
The shocking thing about this story is not that the data breach happened, but that this type of behaviour and data mismanagement happens every day in all kinds of organisation. Anecdotally, the majority of people you could ask will admit to having used personal webmail accounts at work when the provided systems have failed to give them the ability to carry out their jobs effectively.
The fact is that humans are by nature very good at evading security procedures when they get in the way of performing their day to day activities. A business has to provide employees with the necessary tools and knowledge to behave in a security conscious way if it wants to have any hope of them doing so.