In a panel debate at the Infosecurity Europe exhibition in London, questions were asked on whether smart devices are secure enough for what they are needed for and can consumerisation be turned to a business's advantage?
Michael Everall, CISO at Lehman Brothers Holdings, said that every organisation is an omnivore and employees need to access data fast, cleanly and timely.
He said: “Each device has greater access and greater potential for loss. You can lose the hardware but people do not care, it can enable you to do more but if it is not managed then it keeps you awake at night.”
Asked if smart devices are secure enough for what they are being used for, Gary Cheetham, CISO at NFU Mutual, said: “It depends on what it is used for. Senior management might see a device and applications and want them and we find ourselves with a state of content security because they want to use them.
“Also a lot of devices are more used in the corporate world but it is all about protecting data. Are we secure enough? We have to wait and see as the threat horizon is changing and we are always playing catch up, but some devices are secure enough.”
Everall said: “The phone can be a backdoor entry, it is good in part and you can do whole device encryption and have more ability to control it but you can still lose it. If you are using a personal device with company data, you are responsible for it and hold the risk, what was and what can be accessed. It is not going to get any easier but you have to be aware of what it can and cannot do.”
Andrew Turner, IT security officer and information governance lead at NHS Dumfries and Galloway, said that smartphones are consumer devices and if a device can be remotely wiped it can be used by them, but users need to be aware of the shortfalls and pitfalls.
Turner also said that a main problem of working with smartphone and tablet devices is that many are only on sale for one year and are not on shelves long enough to manage or to source parts for repairs.
Asked if personal devices could be turned to a business's advantage, Gary Cheetham, CISO at NFU Mutual, said that there is an advantage in using them, but IT professionals firstly need to paint a picture for the board with the risk appetite. “You need to shed some light on policies, keep an eye on the acceptance on accessibility for what devices are used for and address risk on how to protect but be invisible,” he said.
Everall said: “You also need to address education, training and awareness. You do not have to protect the organisation or the team in this instance, but the individual. Help them and they will help you.”