Company data needs to remain available to authorised users - and only authorised users, and company equipment and services need to only be used for authorised purposes. But how, for example, do you ensure that a work issue phone isn't used to post an inappropriate image to flickr or either deliberately or inadvertently share confidential information on Facebook etc - what are the issues, and what can CISOs do about it?
This blurring of work and personal life is now well-established. Working from home and socialising online from work is enabled by the latest hardware and apps; according to Ofcom's 2013 report, smartphone ownership has doubled in two years, and tablet ownership is up two-fold in a year.
The advent of Bring Your Own Device (BYOD) has required companies to create policies and security infrastructure to gain control of devices and apps that employees use to get their jobs done. New solutions, such as CYOD (Choose Your Own Device) are being created to cover the limitations of BOYD and new ‘new' working practices implemented. CYOD improves flexibility over corporately owned devices, but then there is additional enforcement of security policies as well as limitations on the apps which can be used.
This is because there are real risks and implications for businesses, from a compliance, information governance and reputational perspective. Businesses need to understand and have visibility of their critical information 100 percent of the time. As apps become more useful in our daily working lives the risks increase. For example, the apps which back-up data to the cloud... since an app can't tell the difference between ‘home' and ‘work' it is all backed up, creating risk. Who else has access to the information, and does the organisation know and approve? Others automatically publish information to social networking sites to share among ‘friends', which, when it is a picture of a plate of food, is not that exciting from a corporate perspective, however risk arises when it is a photo of a whiteboard with a confidential product roadmap or strategy on it. How many of your ‘friends' work for competitors?
There is also a new risk around BYOD hardware which moves from one organisation to another with the user. If the information from the first organisation remains on the device and is subsequently ‘found' at the new organisation. There is not only a potential data breach but it also opens up the new organisation to corporate espionage allegations.
As organisations have tightened up on using personal email as a means of transferring information to be worked on at home, I believe that social networking sites and bulletin boards will become the new ‘temporary' transfer mechanism. This ‘hole' in the corporate network needs to be plugged. Most enterprises don't understand the value of their data, who has access and where it is. Without this it is impossible to protect it in a cost effective manner. There needs to be a programme which encompasses the whole organisation when it comes to understanding and securing critical information wherever it is. Information Governance (IG) covers all aspects of information security and use, and is being rolled out across all types of organisations.
Having employees understand the risks and consequences of certain apps and behaviours is critical for organisational security. Policies around new joiners or people leaving the business need to be robust to ensure that there is no ‘old' information on devices brought in, that may compromise an organisation. And assurance is needed that there is no corporate information on devices which leave the company, otherwise there is a severe risk of an inadvertent data-breach - as the now ex-employee may never say if the device is lost or compromised.
From a BYOD/CYOD perspective, work devices should be for business and not for personal use. Having your spouse or children ‘playing' on the device is not ‘acceptable use' and nor is offensive wallpapers and stickers on the cover. It may be ‘your' device – but it contains your company's reputation. The most common device ‘denial of service' is from children who attempt to use their parents' smartphones, get the password wrong (several times) and then the device is wiped?!?!
Awareness must range from top to bottom in an organisation and be ongoing as new risks arise regularly. Paper-based policies need to be backed up with technology to support and enforce them.
‘Corporate' security may need to be installed on BYO devices – or else they cannot be connected to the corporate network or have access to corporate data. Employees need to understand that this is the price they pay for BYOD. Other solutions can watch for inappropriate behaviour on social web sites and in cloud collaboration apps. A process needs to be put in place to deal with both malicious and inadvertent activity which will occur, especially as there will be a learning curve for both the user and the organisation.
With changes to regulations and legislation, an organisation's critical information needs to be more heavily monitored and protected across the organisation and the extended enterprise. It needs to remains secure, whilst new ways of working are embraced, enabling a secure collaborative environment to improve competitiveness and enhance agility.
Contributed by Dr Guy Bunker, SVP Products, Clearswift