LONDON, UK - BYOD elicits a mixed response from those in the information security industry – notable recent examples include security expert Natalya Kaspersky dubbing it an ‘unregulated mess' and a study from Forrester revealing that IT departments are struggling to manage the deluge of devices now accessing corporate networks.
Experts speaking at the SC Congress London on Thursday weighed in on what's needed to manage these devices, given that Blackberry's influence on enterprise mobility has declined drastically, to be replaced by more consumer-oriented devices.
During a panel on Mobile Security, moderated by SC Magazine UK editor-in-chief Tony Morbin and comprising DMI CISO Rick Doten, Norton Rose Fulbright global CISO Paul Swarbrick and Morrison & Forrester UK LLP partner Ann Bevitt, it was suggested that the key to BYOD is establishing policy around what data you need to secure, to what extent.
“Protection is all based on priority, but it should be on what's the risk [to business] on a day-to-day basis,” said Doten, who added that MDM (Mobile Device Management) should only be a ‘foundation' to securing personally-owned devices.
“Think about confidential data, sales data and the different kind of risks. Understand the business, what the different parts of the business do and then apply controls and develop policies to an appropriate level.”
Technology moves on from BlackBerry
But part of the problem with enterprise management mobility is that BlackBerry is no longer the solitary mobile in the workplace, and that emerging consumer smartphones and tablets have similar functionality to modern-day PCs.
“We live in a post-Blackberry world. BBM gave us a lot of great security,” he said noting features like encryption of data-at-rest and data-in-transit. “We don't have the same [security] switches today [on mobile devices]”.
“64-bit iPhones are just as powerful as PCs. We need to consider risk the same way.” Swarbick agreed, adding: “Technology changes but the problems remain the same. I come across people moving old working practices onto new devices.”
Enterprise doesn't understand legal obligations
Another issue that has risen to prominence more recently, says privacy lawyer Ann Bevitt, is that companies are still struggling to understand that the same legal obligations apply to data breaches, whether by corporate or personal devices.
“What we're finding in this area is that there can be two very big liabilities,” said Bevitt, noting employees and data. “If you have an employee using their own device, the company is still the controller of the data…All data protection legislation and responsibilities still apply. You have to bear in mind the legal liabilities.”
Bevitt added that the recent ICO guidance on personal devices and what employees should be doing is a good thing, but urged companies to introduce policies to mitigate the risk. “It goes back to knowing business and where the risks are.” While good practice may mitigate liability to some extent, ultimately, the enterprise remains legally liable even if the breach was due to poor user practice with their mobile.