A lunchtime keynote panel at this year’s Infosecurity Europe show in London – moderated by Nigel Stanley of Bloor Research – focused specifically on what organizations can do to allow greater flexibility among their workforce. Aptly titled “Can You Turn Mobile Devices to Your Advantage, Or Are They the Next Big Security Hole?”, the group explored questions surrounding the increasing use of consumer-geared devices in the enterprise space.
Stanley, practice leader security at Bloor, said the aim of the session was to provide a new perspective on mobile devices. “We are going to try to put a more positive view on mobile devices, and hopefully look at some of the benefits to your organization”, he told the audience, rather than the “doom and gloom” warnings that have recently been the norm. The results, however, were quite mixed.
“[We] have a very active field force that are desperate to get smartphones and smart devices because it’s a real advantage to the organization to use these devices for business applications”, said panelist Gary Cheetham, CISO of NFU Mutual, an insurance company based in Stratford-upon-Avon in the UK. “The problem is the speed in which they want to do it, and the way they want to use them, that gives me lots of concerns.”
Fellow panelist Michael Everall, CISO of Lehman Brothers Holdings, oversees security for a workforce that is nearly all mobile, as they go about their job of helping the former securities giant liquidate its assets. His users continue their demands to use these devices on the job, which includes tablets and consumer-targeted smartphones.
“We are moving away now from being able to simply use the BlackBerry”, he noted. “All of these [smart devices] provide additional vectors where you have issues of concern. We have to look past what the actual hardware is, and far more into the content – the policies and processes, the standards and guidelines around the actual information itself.”
Stanley then asked the panel if mobile smart devices are indeed secure enough to serve their purposes.
“I guess that depends on what they are being used for”, Cheetham said amusingly. His organization, he added, mostly uses BlackBerry devices, which does not present NFU Mutual with any “significant” data security problems.
“However, like a lot of organizations, as senior management see their pals with other devices, they want those devices because they see applications for them, and they want them very quickly.” The problem this presents, he told the audience, is that he often finds his security team up against time constraints under demands for these new devices, which does not provide ample time to secure them.
The BlackBerry has strong controls, which Everall labeled as the industry “gold standard” for security. But when the UAE tried to push some tracking malware on BlackBerry users within the country to monitor communications, the device became “a backdoor entry” when the government did not value confidentiality.
While Everall and Cheetham saw instances where smart device use could be secure enough for enterprises, Louis Gamon, information security officer for the John Lewis Partnership, abruptly stated that they were not, at least in his point of view.
If you look at all the instances of smartphone data leaks in the press, whether at the hardware or application layer, one can only conclude that consumer-based devices pose a much greater risk, Gamon believes.
“GCHQ say that BlackBerry is secure, and they have enough experience to know what they are talking about”, he declared. “I don’t think currently that the Androids or other mobiles are anywhere near secure enough -- not just for enterprise, but for personal use.”
Rounding out the discussion, Andrew Turner, IT security officer for NHS Dumfries & Galloway, said it depends strictly on what the user is doing with the smart device. “You have to go into this with your eyes wide open”, he continued, as they have few security tools available that IT managers would expect from devices approved for use within an enterprise.
In closing, Turner warned: “They are consumer devices and, as such, they are insecure devices.”