ITProPortal spoke to Nick Banks, VP EMEA and APAC for Imation Mobile Security about what he thinks are the major threats facing businesses and government departments, what the most common mistakes are in implementing a security policy, as well as what he finds frustrating about the security industry.
If you've got four or five thousand devices out there, with employees able to access work information on each device, you get a number of things happening. A: They lose them. B: They lose them in really embarrassing places, like public transport, buses trains, restaurants and bars and pubs – even throwing them in a bin. All of those places you've heard in the horror stories we see in the media.
But it's not only that they lose them – it's that when they leave the company they hardly ever return them. They keep them. And if that's got data on it that could be useful to the new company, but very destructive to the old company, then in the end you need a way of preventing that.
I'm a believer that passwords will eventually be phased out. I think we'll find another way of securing our data, because in the end it's not the technology that's the weak link – it's the person. If you ask someone to remember all these passwords for all your different business and social accounts, people fall into two camps:
They go for the easy password, one size fits all. They use the same password for everything.
Or they use two passwords: one for business, one for personal.
The other thing that happens when a business ask their employees to have different passwords for all their accounts is that first of all, they forget them. Either that, or they write them down - so that's an instant possible breach.
Any of these government departments and commercial entities you speak to and ask "how many laptops have you lost over the last year?" – it was actually 60 lost from one government department up in Scotland, and other places I've been to, four have been lost – they don't know where they are!
So is BYOD the problem?
When I started work, you started at eight in the morning, and went home at 6, and didn't think about work until the next day. There was no Internet, really – it was in its infancy. The company now expects you to take work home, and even if they don't say that, there's just too much work to do in the day. Often you have to work from home in the evenings just to stay on top of your workload. I very rarely come across someone who says I can do all my work between 9 and 5".
People take their work home now, and you have to be sure from a company perspective that any work that gets taken home is being properly secured. You can put it up into a personal cloud, into DropBox and so on – but is that secure? Do you want people putting company files in DropBox and then sharing that folder with friends who they want to give photos or music?
You have to be using devices that feature hardware encryption, that allow people to work from home securely and safely.
So are consumer clouds inherently insecure, or is it how we use them?
I don't think these kinds of consumer clouds give the right level of security. Certainly not in government, where you don't even know what people are putting in there. Also when people don't disguise their files in their DropBox.
"Newly polished CV" – a file with that name might give the game away to your boss that you could be looking for a new job, for instance.
That's the nice thing: when it comes to privacy, BYOD is a two-way street. There was a study recently that showed that almost 70 percent of employees in the United States and Europe would stop using their own device for work purposes if they knew their employer could remotely wipe or lock it. So if companies could see our personal files, most employees wouldn't want to use a BYOD policy.
So the key is not just having good security for the company, but to have the employees feel secure too. The worker will be very concerned if the company has access to personal data too.
Is there any such thing as over-reacting to security?
No. If security is hampering your business, then maybe you need to look at your security policy. A poor policy can get in the way of work, but better security always makes things easier.
Also, of course, over the years people have bought so many security solutions, that it's about making sure they work well together. You have to be able to react to a breach, to shut down the area that's been compromised, but without stopping the work flow. You shut down areas that are infected, cure it, kick it out and carry on without anyone really noticing. That's an effective security policy.
What most frustrates you about the security industry?
I think what frustrates me most is that certain companies take very much the approach that they'll speak to two security companies, they get a perimeter defence in place, and they get an internal defence in place. It'll usually just be an anti-malware product. It's saying "that's good enough" – that's what annoys me. It's just ticking a box, and saying "what can I get that for the cheapest possible price" that ticks that box. There are a number of companies and government departments that have taken that approach, and have paid the price. Just look in the papers.
One of the biggest problems is that people are still trying to secure machines, but they don't take steps to secure their people.