Jon Collins, originally published on Silicon

These days, it’s no surprise to anybody that staff mobility – everything from home working to being able to pick up email when out and about – brings with it a business advantage.

We at Freeform Dynamics have been asking questions about mobile usage patterns and productivity for a number of years now (most recently, for example, we looked into ’moments of mobile need’). In that time the questions have very much moved from ’if’ the tech is used to ’when and how’.

As with so many things in IT and communications, there’s a downside of course – in this case around the dangers of losing a device, or indeed having one stolen.

Laptop thefts are like car accidents – everyone knows someone who has been involved but it always happens to someone else. As for phone loss, is there anyone who hasn’t lost a phone at some point? We know from a recent research project that about 15 per cent of respondents had personally suffered accidental loss or theft of bag, keys, wallet/purse, phone or laptop in the six months that preceded the study.

But really, it’s not the loss of the device itself that matters so much, despite the capital cost for replacing the hardware. Instead it’s what on it that matters: from a corporate perspective, we know consistently from our studies that the biggest IT-related risk involves the loss of business-critical information.

We have to face the fact that mobile devices are capable of storing huge quantities of data. It’s not just mobile phones: when I was speaking to an IT manager at a recent industry conference about disaster recovery policy, I asked him how much data was involved – expecting the answer to be in the terabytes. “A few hundred gigs,” he said. In other words, the amount of data that could quite comfortably be stored on an iPod.

It was so much easier in the mainframe world – have you ever tried to lose a mainframe? These days, we have the combined effects of the gadgetry becoming increasingly easy to lose, coupled with the fact that devices can store exponentially increasing quantities of data.

Information loss matters for one of two reasons: if information is lost, either it’s going to prevent the business from making money, or it’s going to cost the business money to deal with the impact.

There are mitigations for the former – organisations have a plethora of data protection mechanisms available to them. But the latter is harder to counter. If a company secret is released into the wild, it can be copied; if customer data is released, there is a compliance cost as well as reputational damage.

So what can you do about it? There are a variety of technological measures that can be brought to bear – either to lock down devices, prevent information from being released without authority, audit where it has gone or remote-destruct the data and/or device.

We know that this area is underserved – only half of the organisations we have surveyed feel protected against the kinds of inadvertent breaches they suffered as a result of theft or loss, compared to external attacks. We know data leakage tools and technologies are not implemented to the same level as malware protection, yet this is a case where technology alone is not the answer.

Outside of technical measures, things do get harder to deal with – from implementing appropriate policies and processes, to making the necessary cultural changes, to getting the right tools and mindsets in place.

But our research highlights the places to start.

First: understand your risks. In this context, the only important risks are business risks -those that can impact an organisation and its dependants.

The second lesson we have learned is around policy. Draconian rules don’t work – they are tough to implement, difficult to enforce and impossible to keep up to date. So leave those USB ports alone.

We have learned to advocate a ’minimum necessary’ approach. This is for the simple reason that if you can’t implement that, you don’t stand a cat’s chance of implementing anything more extreme. Some simple examples: consider PIN numbers on PDAs, or up-to-date antivirus software on PCs.

Finally, we look for cause and effect in our research, and one factor which surprised us in its effectiveness was awareness raising – in some cases breaches were being reduced by an order of magnitude in organisations that had some kind of security awareness programme in place.

Security tools are just that – tools of the trade. We’re all for using them – but organisations which think tools alone will solve the problem are cruising in the fast lane with a blindfold on. When the crash happens, it won’t matter how good your airbags are.



Leave a Reply