Mobility and BYOD need security rethink, Zinopy says
Zinopy MD John Ryan and Conor Flynn, founder of Information Security Assurance Services
Traditional perimeter security won’t offer sufficient protection for data as businesses go mobile and the ‘bring your own device to work’ trend gathers speed.
That was the view from a recent event hosted by the information security specialist Zinopy, which featured speakers from consulting, legal and technology backgrounds.
The backdrop to the event was the growing use of smartphones, tablets and mobile devices in the workplace – a fundamental shift from the days of PCs and applications being provided to desk-bound users.
According to surveys from market watcher Gartner, 90pc of organisations say they will support corporate applications on personal devices by 2014.
Zinopy MD John Ryan said the trend represents a “steep learning curve” for many businesses.
“This is being driven from the top down in organisations. There’s a demand there to allow access for mobile devices. Maybe the IT department mightn’t be ready for it yet.”
Conor Flynn, founder of Information Security Assurance Services (ISAS), said there are several areas of concern around mobility and data, such as data leakage and loss, data theft, brand and reputational damage, legislative and compliance issues, data classification and unauthorised access to systems.
“It’s key for organisations to assess real and tangible business needs, not just device envy. Developing corporate policies around mobile device management [MDM] and bring-your-own-device [BYOD] is an excellent way to address mobility-related concerns within an organisation.”
Paul Johnson, EMEA sales director at Boldon James, said the challenge for organisations is in preventing sensitive data going to mobile devices in the first place. Often, business emails are typically synced to personal smartphones and other mobile devices. This presents the strong possibility that sensitive data resides on devices that can be easily lost or stolen.
Minimising risk of data leaks
Technology alone won’t remove the risk of data loss, but marrying it with good employee procedures could be a way to alleviate the possibility of sensitive information leaking out of the company, Ryan said.
A hybrid option whereby email might be downloaded onto the user’s mobile device, but more sensitive information, such as HR records, would only be visible through a virtual desktop so the data is never physically present on the device.
Ryan recommended that businesses should operate a process whereby the person who creates a document should be obliged to classify it under tags like public knowledge, highly confidential or internal only. “Because that document is classified, you’re able to put [technical] controls in place much, much easier,” he said.
IT security has traditionally been seen as the “policeman” of the organisation but that shouldn’t be its role, Ryan added. “Business has to take ownership of the data that’s in their organisation. It should be about giving responsibilities for classifying information, and then IT has the controls to manage it in a more effective way.”
Progressive organisations may look to put data classification in place sooner rather than later, but the practice could soon become mandatory. According to David Hackett, a partner with Dublin-based corporate law firm Eugene F Collins, proposed new EU data protection laws would see fines of up to €1m or 2pc of global turnover imposed for a serious data breach – a statement which prompted a murmur around the room among the IT professionals in attendance.
Separately, the EU’s information security agency ENISA has issued a report to guide businesses on the risks associated with the growing ‘bring your own device’ to work policy.
The report, Consumerisation of IT: Top Risks and Opportunities, was compiled using input from experts in academia and industry, and one of the contributors was Jim Clarke, programme manager at Waterford IT and a prominent security researcher.
The document outlines several risks and benefits around BYOD which need to be addressed with policies and mitigation strategies, ENISA said.
The three main areas of risk relate to cost, legal and regulatory issues, as well as data confidentiality, integrity and availability. The potential benefits are grouped under finance, human resources, operational opportunities and data management.