Aon warns that businesses are playing a dangerous game with BYOD

5 Sep 2014

Sarah Stephens, head of cyber risk and commercial E&O (EMEA), Aon Risk Solutions; with Philip Nolan, partner, Mason Hayes & Curran; and Seamus Carroll, head of data protection unit, Department of Justice and Equality

About 66pc of Irish firms allow employees to access confidential company files through their own devices – making the hacking of celebrities’ private pictures earlier this week look like a walk in the park for hackers.

For some penny-pinching employers, the bring your own device (BYOD) trend is a no-brainer financially – let the workers buy their own phones and computers – but without the right security strategy in place, the ramifications could be more costly than they can have ever imagined.

According to Sarah Stephens, head of cyber risk and commercial E&O (EMEA) at Aon Risk Solutions, firms in Ireland and across the world are running the gauntlet and aren’t aware of the potential exposure to their business.

Stephens was in Dublin today to attend a conference about the EU Data Protection Directive, hosted by Aon in Ireland.

So what if a few celebs get their pictures published by hackers because their passwords were hacked? What if passwords to cloud accounts where financial information or intellectual property are stored get accessed because of lax security in the company or on employees’ part?

Aon estimates 92pc of companies in Ireland are exposed to cyber risk – that’s higher than the global average of 86pc.

Stephens warned, “The amount of data floating about the place unstructured and insecure is frightening – because people are getting familiar only now with cloud technologies they are unclear where the data goes. It is difficult enough for individuals to comprehend, let alone companies.”

As Stephens sees it, the major culprit is BYOD. Firms are embracing the concept but aren’t putting in place defences or structures to ensure data that flows through the devices doesn’t fall into the hands of hackers.

She urged firms that encourage workers to use smartphones, tablet devices or their own laptops to embrace a strategy of “containerisation.”

“This is a separate box that you attach to your device that protects company data. What it does is track usage, ensure complex password usage and enables remote wiping of data. For example, with this technology users can’t cut or paste company data outside the app.”

Providers of containerisation technologies include AirWatch and Good Technology.

Younger generation of workers has different opinions on privacy

Stephens said we are only at the beginning of a newer, more troubled time for security that could make this week’s celebrity hackings feel like more innocent times.

“There are a couple of dynamics at play. The younger generation of workers has different expectations of privacy because many have grown up sharing their entire lives on social media, which has reduced their expectations of privacy. That’s a huge cultural change.

“The other factor is people’s understanding of technology and privacy hasn’t kept pace with the technology itself. They have no idea of their security settings or that the iCloud or other cloud services was backing up their data.”

Stephens said companies such as Apple, Facebook and Twitter, as well as cloud providers such as Google and Dropbox, will need to take a more active role in educating users.

“Technology gets ahead of people and what that means for technology companies is that if they are not held liable, they will at least be alleged to be liable for not making their products easy enough to understand.

“Some of these companies may not see it as their responsibility to educate or inform, but it is in their interests in the era of corporate social responsibility with respect to privacy to educate.

“It may not affect their liability, but it will certainly affect their reputation.”

Wising up on BYOD

Returning to ordinary businesses running the gamut of industries, Stephens warned that viewing BYOD as a cost-saving strategy is foolish.

“It is being hailed as this big cost-saving trend because you don’t have to buy a fleet of devices like BlackBerrys, as you would have in the past.

“The idea that this is a cost-saving opportunity is not sustainable and companies will need to change their views on mobility and what they are doing with their data.

“A lot of chief security officers I talk to don’t like BYOD. They admit they don’t have a good handle on it and usability issues with the software on the devices and in the apps are a recipe for disaster.

“Many of them hanker for the day when they were able to get locked-down security on devices, such as BlackBerrys from RIM,” Stephens said.

“But now BYOD has become the Achilles Heel. There is no such thing as 100pc security, but now there are more threats out there than anyone could ever have anticipated.”

Aon is a Silicon Republic Featured Employer, comprised of top tech companies that are hiring now

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years