You cannot stop the tide. Whatever security nightmares portable data devices bring with them, Andy Cordial believes that employers have to accept that such devices are going to be used. The trick is to control the devices rather than discourage their use.
Ten years ago the dawn of a new decade brought with it a trickle of employees requiring the ability to access information while away from the office. Organisations dipping their toe in these waters did so primarily by utilising dial-up methods. Today we’re no longer concerned with how to make it possible as the consumerisation of IT has empowered everyone with the ability to stay in touch, via a deluge of devices, when out and about. The focus instead is how best to exploit the desire and trend for flexible working practices and utilise an increasingly mobile workforce, securely.
The 2010 Landscape
2010 experienced a slower return to business than usual following the festive period due to the extreme weather conditions across the UK. The snow’s imminent arrival was much publicised and, although some local councils failed in their efforts to keep the roads clear and the transport network flowing, many employees did plan ahead for snowy days and took work home with them. Although not physically at their workstations, many more accessed the corporate infrastructure using mobile devices, such as netbooks and Blackberrys, keeping the corporate wheel turning, albeit slightly slower than usual.
According to a report in The Times, business groups warned that the cost of absenteeism to the economy due to the January snowfalls could reach £2 billion but that could just be the tip of the iceberg if the sensitive data that was accessed during the big freeze floods out into the public domain.
Channel the Tide
With mobile devices considered manna from heaven to workers seeking flexibility, they have become a plague for the information security professionals trying to secure them. Small USB memory sticks are easily available, often without any security features, which users can use to carry and transfer massive amounts of data. Worms and other malware are being discovered that target iPhones - one example is a worm that targets iPhones to steal banking data and enlists the device in a botnet, although at the moment this is thought to be limited to the Dutch online bank ING. However, the major cause of data breaches is theft of mobile devices, especially laptops with tens of thousands stolen every year, often containing sensitive data that require public disclosure as a data breach.
With data protection high on the corporate agenda, and the workforce literally taking matters into their own hands and utilising personal devices to facilitate the need for portable access to information, organisations need to recognise this drip of corporate records before the flow of sensitive data breaks free and pours out into the public domain. The way workforces function is changing and, arguably, it is in the organisation’s favour to embrace an employee’s enthusiasm to spend their own time completing tasks at home – especially when snowed in or unwell when physical presence in the office isn’t feasible. The hard bit is to do so securely.
Someone who wants to transfer data from the safe confines of the corporate environment will do so, with or without your blessing – they’ve got a tool to utilise in a pocket and they’re willing to use it. Organisations need to recognise this fact and counteract it.
The first step is to educate the workforce on the risks this practice exposes the organisation to and then facilitate the process to allow them to do so securely.
Pick the Right Solution
Just as there are a multitude of devices designed to carry data, so is there assorted technology to secure it. The challenge is to pick one that provides the right level of protection for you’re data balanced with ease of use for your employees – if it’s inadequate then why waste your money, too complicated and it’ll be circumnavigated. If the employer provides its workforce with a tool to port data securely, an employee has no reason to use an inadequately protected device, thus allowing the organisation choice of how the data is secured.
The ICO recommends that portable and mobile devices used to store and transmit personal information should be protected using approved encryption methods which are designed to guard against the compromise of information. The belief in this technology is so strong that, where data breaches occur and encryption has not been used to protect the data, it publicly states enforcement action will be pursued.
By employing an encrypted solution that is capable of locking down all your valuable data if the worst happens, and your mobile device is stolen or goes missing, you have no need to worry as you’re still watertight.
Andy Cordial is Managing Director of Origin Storage. Origin Storage will be exhibiting at InfoSecurity Europe on 27th -29th of April.