When I was invited to attend a roundtable on ‘mobility’, hosted by Canon, I was in two minds. I kind of feel like I‘ve heard it all before when it comes to BYOD and security challenges around remote working. On the other hand, it’s still a topic which interests and challenges our readers so I decided to attend, armed with an optimistic objective to learn something new.
In all honesty, that objective was not met. There were no new or magical ideas bought to the table, but there were some very interesting perspectives and commentary.
Below is a sample of some of the commentary that I found most interesting:
Who’s driving the change: employee or employer? According to lawyer of 34 years, Robert Bond, Partner and Notary Public for Speechly Bircham, it’s the younger generation of employee. “The younger generation of employee has a horrendous understanding of privacy and discretion...So much communication happens through social media and SMS and instant messaging – this needs to be translated onto the computer systems for records and compliance”. According to Javvad Malik, analyst at 451 group, it’s not just the employees that are changing. “It’s also companies. They’ve moved from physical to electronic to digital and they are becoming information companies. This is why BYOD has such a large impact –it’s easier to leak things.”
“How do you manage the bleed of intellectual property? Value resides in the information, so you need to protect that all along. You may want to intentionally bleed some IP to test the market”, said Adrian Davis, principal analyst for the ISF. “The legal question of who owns the data is a big one. No-one thinks about IP in cyberspace”, said Bond. Davis added: “Contracts often don’t include IP.”
E-discovery is a big data problem, said Davis. “It’s a huge issue because organizations don’t structure their information or know where it is. The average company uses 30 cloud suppliers without a proper risk assessment.”
People are still the problem. Jamie Bouloux, cyber products underwriting manager at AIG, said that training and education needs to be updated to avoid the increasingly high percentage of breaches that are a result of human error (more than 97%). Bond argued that breaches are the cause of “human error, bad policy or breach of policy”, and Davis added that the problem is that people don’t read policies that don’t revolve around holiday allowance and expense claims.
Quentyn Taylor, director of information security at Canon, insisted that the key is to make the training apply to the employee personally. “Remind them that their personal data can be leaked, not just the companies.” Bond agreed. “Tying corporate information to personal items is a good idea because they’ll be less likely to lose it.”
Bouloux believes in “hitting people in the purse if they act wrongly or without care. Make a statement – fire someone for leaking IP.”
Risk, not media hype, will drive the data protection legislation, believes Bond. “Everyone will be made to step up and we’ll witness better due diligence.” There has to be a fundamental reason to buy cyber security, said Bouloux. “What’s the insurable risk? People are buying insurance to enable business continuity. Organizations need to look at what is an insurable risk. We ask questions about levels of encryption and compliance certificates.”
We don’t need more standards, declared Adrian Davis. “We just need something that everyone gets. Standards are only as good as the people who write, implement and audit them.”