Information Security Specialist Group - The Future of Mobile Devices
The ISSG held one of it's regular seminars at the National Space Centre in Leicester on 4th July, 2012. The decision to visit the NSC was based on two criteria; it's not London and its a smashing place to visit. Every once in a while, the ISSG holds meetings away from London and this was it for 2012.
The subject was “The Future of Mobile Devices”; how do you deal with the Bring Your Own Device to Work culture? We didn't actually use the secondary title shown above but it was evident throughout the day that a lot of (especially senior) staff take that attitude. As is so often the case, business progress is a battle between expectation and reality. Sometimes the IT manager's perfectly reasonable and clearly valid technical perspective can take second place to wholly unreasonable business demands. The key question for any ISSG member is, “Can I make it secure?”. That's what our speakers tried to answer.
And can you make BYOD secure? Well, probably – most of the time but only if the staff don't do something stupid.
There were quite a number of very interesting snippets that came out of the presentations. For example, it may be advisable to add anti-virus software to all smart phone in the not too distant future. There are squillions of them in use today all over the world and they are all basically small computers. Some of their operating systems appear more vulnerable than others. David Emm from Kasperski pointed out that the majority of malware created for mobile phones was directed at Android ones. In contrast, the incidence of malware on Blackberry phones was estimated at 0.05% and for i-Phones it was <0.01%.
So was this a good reason for saying “No!” to BYOD? Not in the view of Mike Cholod from Absolute Software. He stressed that user tools were diversifying anyway so the best solution was to manage diversification so that it goes in the right direction. He quoted one interesting statistic; between 2010 and 2011, the numbers of staff bringing their own smart phone, tablet or personal PC to the workplace rose from 30.7% to 40.7%. The sub plot here is that accountants may be encouraging this trend as they see it as the business transfering some costs to the staff. However, the smarter firm factors in to the equation the added costs of managing a mixed economy of devices and more especially, the cost of supporting multiple operating systems. (Oh to go back to the days of VT100 terminals. But that's showing my age.)
Thinking about using i-Pads? Well Mike Nash's company (Gamma Secure Systems) does and he carefully listed the good points in favour of them and there are many. It's clear that Apple have given some thought to their security model for i-Pads. The Apps for the i-Pad are rigorously controlled by Apple and this has the advantage that all must conform to the general Apple security model or Apple will not certify them for use. However, the downside is that in a corporate environment, it may be difficult to prevent the use from installing Apps that may conflict with corporate standards. Mike also outlined some of the quirks of the Apple environment. At least they seemed quirky to those of us steeped in Windows but to Apple devotees, no doubt they seem perfectly sensible. (Did I hear Mike correctly – Apple are selling four million i-Pads each week?)
The thorny question of whether to say 'yes' or 'no' to BYOD was addressed by Les Fraser. The two extremes were to either man the barricades or to just put out the welcome mat. He suggested carefully controlled inclusion. The careful IT security manager will implement flexible and strong access controls, for example. He emphasised the need to revamp any existing employee guidance, or if your company does not have any employee guidance, for goodness sake write some quickly!
The final presentation was by lawyer, Shelley Thomas of Hill Dickenson. This was arguably the most disturbing of the presentations. It had been emphasised all through the day that the technical issues can be exciting but the data issues are more critical. Shelley rammed the point home by asking, “whose data is it?”. If, say, your staff are using smart phones and tablets, what data is actually being held on those devices and who owns it? Is it company confidential? Is it covered by the Data Protection Act? In short, while the connectivity problems are (relatively) easy to solve, data ownership is not and companies need to have carefully worked plans for managing data on platforms the company does not own – especially should something go seriously wrong. Which, of course, it never will but it just might and if it does go wrong it will most likely be something really nasty!
Did the day go well? We had 60 people at this event and they came from industry, commerce and the public sector. Feedback was uniformly positive for the day. Oh, and the lunch went down very well but then we pride ourselves in the ISSG on having good lunches.
There was one small hiccup during the day. One presentation was delayed because the administrator, a long standing BCS member with 30 odd years of experience, couldn't figure how to connect the laptop to the projector. No names, no pack drill on that one.
Many thanks to the National Space Museum staff for their support. Delegates had the opportunity to take a tour of the museum as part of their visit.
Post Script : All of the presentations will be posted on the closed section of the BCS/CIfIT web site by Friday, 13th July, 2012, and available for registered ISSG members. These will be in redacted format.