Enterprise Mobility Summit 2013: The biggest mobile security risk is still human beings
Education rather than lockdown is key to keeping hold of mobile data, says panel
Top-down mobile security policies, locked-down devices and bans on BYOD can only go so far in preventing breaches, according to a panel of experts at Computing's Enterprise Mobility 2013 summit this afternoon.
"Over the past couple of years we've realised it's almost impossible to lock down everything, so from a device perspective we treat laptops, mobile phones and tablets as disposable assets," said Josko Grljevic, IS director at thetrainline.com.
"From a security perspective, the expectation is they'll get stolen, lost or damaged, but from a systems security perspective you don't have to worry, because it's a given."
Grljevic described protecting the data itself as "the easiest thing to do", but that even the software versus hardware argument is no longer the main concern in mobile data security:
"The thing that keeps me awake is not the fact I've lost a machine, but what end users do with data. I'm the worst culprit of all - I love to store my data in the cloud. It's easiest. I can change devices and keep using it easily."
John Robinson, IT director for global infrastructure at Tata Global Beverages, agreed that taming the human element is now of paramount importance, particularly given the international focus of his firm.
"What we tend to do is strong education," said Robinson.
"We need people to understand exposure. We talk to people about the corporate side of security, but also the personal side. Not using the same passwords in banking details and that kind of thing. Not many people seem to separate personal and corporate data, and it helps to train them to do so.
"But even that doesn't stop people doing things such as just copying things between devices. We have to make them aware of their own degree of responsibility."
Robinson's IT division has tight control over mobile policies within Tata. "HR hasn't got the exposure, but we have; we understand the risk," said Robinson.
Andrew Bull, director of delivery and operations in information management services at HMRC, said that his role did not offer as much flexibility, however:
"We're coming from an extremely tightly-controlled managed environment with an awful lot of customer data that people are interested in," said Bull.
"So while we're leaning towards a greater range of devices, we're in a different position to a lot of other organisations, because you can't get anywhere near our network with anything that isn't one of our devices - it just isn't going to work. It's locked down."
Enterprise Mobility Summit 2013: The biggest mobile security risk is still human beings
Education rather than lockdown is key to keeping hold of mobile data, says panel
HMRC's policy remains hardware-focused, with Bull conceding "we've nowhere near the risk appetite for ‘choose your own' at the current time".
However, Bull also stated that "the good news is that it's extraordinarily unusual for us to lose devices," thanks to effective user education efforts. But just in case, "in the laptop space, everything is very securely encrypted with a separate token. It's totally protected, and if it's lost it's about as useful as a housebrick".
But Grljevic, while acknowledging that thetrainline.com, as a web developer, would naturally assume a more trusting attitude towards its employees, railed against such top-down policies.
"We stopped doing the top-down policy definition, because that just doesn't work," said Grljevic
"I have a lot of intelligent IT users who just don't like to be told what to do. If they don't get what they want, they can do what they do somewhere else.
"So we stopped doing top-down, and started with a BYOD policy in which we said ‘Tell us what you want, and what devices you want'. We've come up with a policy they can use and also do their work, and we get the productivity out of it. It's useful to have a policy that controls the system rather than a policy for the sake of a policy."