A survey of 2,000 people conducted by Check Point in November found that of those who sometimes or frequently work away from the office, 34 per cent regularly forward material to personal email accounts so they can continue working elsewhere; 40 per cent check work email regularly on personal phones or tablets; 33 per cent carry work-related data on unencrypted USB sticks; and 17 per cent use cloud storage services such as Dropbox.
This is despite the fact that 25 per cent of workers say their company's IT policy specifically forbids such actions, while a further 23 per cent either do not know if their company has an IT security policy, or are not aware of what their company's IT policy states.
As a result, 50 per cent of British people say their trust in government and public sector bodies has been diminished while 44 per cent per cent say their trust in private sector companies has been reduced as the result of breaches and losses of personal data over the past five years; 77 per cent of people would prefer to buy goods or services from a company that had not suffered a data breach, with only 12 per cent saying that it was not important to them whether a company had suffered a breach.
At a roundtable held by Check Point to discuss these issues, contributors suggested a number of ways to deal with these problems. Kevin Bailey, research director for European security software at IDC, argued that while an organisation has to trust its employees to some extent, as well as those intent on being malicious, there are those who might be socially engineered and those acting incorrectly but innocently.
These people have to be protected and the organisation has to protect itself from them, too. “In God we trust – for everyone else, there's the end point.”
Martin Pickford, head of technology security solutions at EE, added that education in combination with contracts is important. “People need to be aware of the rules and they need to be reminded. But if they go bad, they go bad and you can't stop that.”
Andy Lucas, a partner at law firm SNR Denton, agreed, arguing that organisations should “trust no one but trust in the contract”. While security can be enforced technologically and physically, ultimately, it's only if there's a legal way to enforce security policies internally that security can hope to succeed, since at least some people will always be willing to try to circumvent security for both good and bad reasons.
It's a suggestion picked up by Pickford: “People have to understand that they'll lose their job.”
However, Bring Your Own Device (BYOD) and mobile working are blurring the boundaries between employees' work and personal lives. These two trends have their benefits, for both employers and employees: employers get more flexible working patterns, can spend less on hardware and support, and can potentially access more powerful technology than they would otherwise have been able to afford; employees can work the way they like when they like on devices that they're familiar with and they don't have to have two of everything.
Peter Warren, chairman of the Cyber Security Research Institute, suggested that BYOD can actually help with security. “You will only get people to buy in to security if it's their responsibility to look after a device.” An employee is far less likely to lose their own computer or smartphone than they are a company-provided one, particularly a ‘CrippleBerry' that is more of an inhibitor to flexible working than an enabler.
Nevertheless, both trends still have problems, particularly for security. As the survey showed, employees are likely to want to use insecure services such as Dropbox for accessing data at home or on their phone, which could potentially lead to data loses.
They aren't going to want to use their smartphone for work if they can't use their own apps, such as Facebook, because the company doesn't like it or regards it as a security risk. They're even less likely to want to have their phone or home computer wiped completely when they leave the company.
Andy Lucas pointed out that in the US, contracts requiring employees to submit to such wiping are being challenged in the courts: “Are employees really positioned to give consent to such contracts?” While there hasn't been a challenge in the UK, relying simply on employment contracts may not be enough.
At the very least, says Lucas, in combination with contracts, there needs to be training for employees in how to be secure. But companies also need to consider whether they're applying new standards to an old phenomenon. “Employees have been taking customer lists since the industry began. The key issue is enforcement. Cast iron contracts help, but it's also partially behaviour. People going on gardening leave for six months after they leave a company is partly about getting them to forget things.”
But panellists were agreed that largely the solution to the security risks presented by BYOD was to focus on the data and securing that, rather than the devices or endpoints. Encryption in particular was seen as the best way to safeguard against data loss, since even if data is transferred insecurely by email or Dropbox, if it's encrypted, no one else can use.
“Companies want to take over security for devices but that can cause issues,” said Check Point major accounts director Caroline Ikomi. “But it's easy to take control of data.”
However, while Peter Warren wanted to know why encryption wasn't legally mandated for all devices – although he suggested that at most security conferences, the only people attending who were against legally mandated encryption were from governments – both Martin Pickford and Caroline Ikomi pointed out the problem with encryption is key management.
“It's a pain and an overhead,” said Pickford. Advances in key management usability might well be the solution to broader adoption of encryption within organisations. Indeed, if there was one thing the panellists could agree one, there are no easy answers to the issue of trust, at least not yet. “Trust is probably going to be the big fundamental argument we get for the first 20 years of this century,” suggested Peter Warren.