The consumerization of IT has been on the horizon for a few years. However, with the explosion of more and more sophisticated consumer devices at reasonable price-points, it is becoming an even more important issue for any CIO to address in order to avoid an increased risk of data breaches.
Consumer gadgets are increasingly appearing in the workplace, with the expectation that employees will use them to enhance their productivity; some businesses are even helping to fund this trend with bring your own device (BYOD) schemes. Consumerization is here to stay and brings with it a whole raft of new security and data management problems.
First there is the age-old problem of lost or stolen devices. From the laptop left on a train to the smartphone lost in a pub, the legal ramifications of this data being lost can be enormous, with threats of huge fines from data breaches – not to mention the sensitive commercial information that could be harvested. This is why many organizations invest in remote wiping utilities, to ensure that the potential damage caused by missing gadgets is minimized. A good thing, no doubt, but the second, and I think under-discussed issue, comes from moving data from point A to point B.
There are several ways of transferring data to a mobile device: docking directly with a computer, transfer within a secure network (via WiFi or Bluetooth connection, for example), over mobile networks and over email. It is email that presents the biggest problem.
Email is an inherently insecure platform for communicating. There are ways of protecting email systems by having security policies in place that dictate which files can be sent to who, but humans are a resourceful bunch and often easy to dupe. Who is to say that the WiFi connection they have jumped on in a café is legitimate or secure? And how are you going to stop them from using web-based email platforms – such as Hotmail and Gmail – for moving data? Can you be sure they are not uploading files to consumer cloud platforms? These are the questions that need to be addressed to maintain data security on a mobile device.
A combination of software and education has to be the only adequate solution. Your employees need to have the right tools for the job, no matter what kind of machine they are using. Secure email clients with secure file transfer applications are a must – but they can be undermined if staff fails to understand the importance of making use of these tools rather than personal email. You only have to look at the recent incident in Cheshire East, where a data breach was caused by a council employee with the best of intentions who sent sensitive information outside of the secure network. This brought the council official censure and a fine of £80,000. The employee in question stated that she did not have the adequate tools for the job and lacked an appropriate council email address.
The shocking thing about this story is not that the data breach happened, but that this type of behavior and data mismanagement happens every day in all kinds of organizations. Anecdotally, the majority of people you could ask will admit to having used personal webmail accounts at work when the provided systems have failed to give them the ability to carry out their jobs effectively.
The fact is that humans are, by nature, very good at evading security procedures when they get in the way of performing their day-to-day activities. A business has to provide employees with the necessary tools and knowledge to behave in a security-conscious way if it wants to have any hope of them doing so.
John Thielens is Axway’s chief architect, Cloud Services. Thielens oversees Axway’s advanced research and the architecture team’s activities related to cloud computing and deployment. He‘s active in Axway’s patent development program and works closely with the security office to develop new solutions.