Security strategy: Staff smartphones ring the changes

Employees' own devices at work must cause a security rethink...

As more staff use their own devices to access corporate data, firms should be devising a security architecture that is as much about creating business value as about cutting risk, says Bob Tarzey.

There's little doubt that employees want to use a growing range of devices to access data. Recent Quocirca research shows that while Windows-based desktop and notebook PCs still dominate, they are fast being supplemented by a diverse range of alternative form factors and operating systems.

Multiple smartphones: Firms will only embed mobile users and their devices into business processes if data can be shared safely

Firms will only embed mobile users and their devices into business processes if data can be shared safelyPhoto: Shutterstock

In the new survey, which was sponsored by Trend Micro, 88 per cent of small and mid-sized businesses say at least some of their employees are using smartphones for business purposes and 43 per cent report at least one or more of their employees use tablet PCs.

These devices are not always owned by the business. Some 74 per cent of the firms questioned say some of the devices used belong to staff.

Respondents to the survey cite more efficient business processes as the biggest benefit of enabling access to data from mobile devices. However, whatever the benefits, such sharing creates security headaches for IT managers, especially as most of the sharing is over public networks.

Only if data can be shared safely will businesses have the confidence to embed mobile users and their chosen devices into business processes. That is the message of a recent Check Point-sponsored report by Quocirca called A value proposition for IT security, which is available for free download.

Creating a compliance-oriented architecture

The report advocates putting in place a compliance-oriented architecture, or COA. The justification for any investment required to achieve a compliance-oriented architecture is as much about creating business value as it is about reducing business risk.

Discussions about IT security usually focus on reducing the risk posed by outsiders or malicious insiders. Mitigating these risks remains paramount but it is also important to make sure that a compliance-oriented architecture protects well-intentioned employees from themselves.

The most common way data leaks occur is through the accidental actions of employees. They need to share data but may accidentally share the wrong data with the wrong person by email or some other communication channel.

And of course they may, if it is not controlled in some way, store data on mobile devices that are subsequently lost or stolen. Theft, accidental loss and erroneous disclosure are by far the most common reasons for self-report data breaches, as data in the report shows.

High-profile data loss incidents

The irony is that while data loss is a common problem, despite the many high-profile incidents - not least the recent problems at Sony - lost data is actually rarely compromised. The thief who steals an iPad is more likely to be interested in the resale value of the device than the data stored on it.

Yet that fact does not cut any ice with regulators. Good management of personally identifiable information is obligatory. Organisations must comply and be seen to comply.

A compliance-oriented architecture involves putting in place...