The founder of a security firm in the UK, Ian Mann at ECSC, has pointed out that “‘ignorant’ senior managers are putting their organisations at risk when it comes to the Bring Your Own Device (BYOD) culture,” according to channelbiz.co.uk. Mann points out that BYOD is a “backward trend” and it sounds like the use of BYOD security software will not change his mind on the current state of affairs.
Mann is not inaccurate of his assessments of smart mobile devices (although one could argue he’s a bit more cynical than others — but then, what security professional worth his salt isn’t?). Let me give you an example why.
A Personal Example of How Mann is Right
Yours truly knows of a professional who set herself up for a data breach over this weekend due to the security status of a smartdevice — in this case, an iPod Touch that is linked to her company’s email. Because of the presence of company data, the Touch (or as some call it, Apple’s fake iPhone) usually has password protection turned “on.”
iOS devices — iPads, iPhones, and iPod Touches — already come with full disk encryption enabled. However, it’s up to the devices’ users to supply a password that will ensure that the disk encryption lives up to its reputation of providing security. (Without the password, disk encryption is “just sitting there.” Think of it as the world’s strongest safe that opens the moment you turn the handle because it’s not locked.)
Anyhow, returning to the professional — she was using the stopwatch on her Touch and found that she got locked out after one minute of inactivity. She decided to get rid of her password temporarily, and enabling it back again once she was done using the timer.
However, she forgot to do so. It took her over a day to realize that she wasn’t being prompted for a password when using her iPod Touch, which she promptly rectified. They say that all’s well that ends well, but the truth is that she had set herself up for a potential data breach.
On a related note, the use of a certain BYOD security measures, such as AlertBoot’s Mobile Security software, could have prevented the above. One of the settings is the enforced use of a password. My friend would have found it impossible to turn off her password had her company used our mobile security management software.
Security vs. Everything Else
As the above shows, smartphones and other BYOD-enabling tools can pose a real threat, even when they are supposedly secure. But, is “banning these devices” the answer?
Ian Mann, founder of ECSC, said information security professionals all recognised the risks as devices outside of organisational control were a source of vulnerabilities.
He added these devices were “a route” for hackers to obtain confidential information, and this area is likely to be the next big cause of security breaches.
However, instead of banning these devices completely the company wants organisations to step back and “assess the risks”. [channelbiz.co.uk]
Completely banning devices. Well, that’s one answer — and the best, in terms of maintaining top-notch security. However, it comes at the detriment to productivity. As it’s often noted, the most secure computer in the world is one that is not connected to the internet; and is locked up in a room; and is not allowed to be touched by anyone. It’s also the world’s most useless computer.
Plus, what about the laptop computer, which is no different from a smartphone or a tablet as a data storage and processing device? Would Mann also argue that laptops were a backward trend? Possibly. But I doubt it…although I do assume that Mann’s quotes have been taken out of context.
Truth be told, there’s a higher risk of a laptop computer being at the heart of a data breach as opposed to a device being used as part of a BYOD program. Records pertaining to HIPAA data breaches involving 500 or more patients, at least, prove this: In 2012, to date, laptops account for 29 data breaches. “Other portable electronic devices” account for 12 data breaches, which include not only smartdevices but external hard drives and USB memory sticks. Paper documents account for 11 data breaches.
The answer is something in the middle of the road, between digital laissez-faire and complete lockdown. The use of MDM software like AlertBoot represents this middle road.
Related Articles and Sites: