The rise of mobile working and BYOD means that accessing corporate data from multiple devices is now the norm for many employees. What's surprising is the lack of security provisions and user training to protect information beyond the physical premises of the organisation.
Mobile data security has, so far, been startlingly low on the priority list of businesses, yet this will have to change if mobile is not to be the catalyst for major data loss in the future.
Who is protecting the President?
Safeguarding the world's most powerful politician is a powerful analogy for anyone tasked with protecting data assets. The President becomes much more effective as he moves around, engaging with citizens and other nations – but any security provisions must move with him. Similarly, you should not let your data assets flow freely via mobile devices without a security policy to protect them from accidental loss or malicious misuse. Yet this is happening within many organisations.
The rise of the mobile workforce
The continuous flow of data is an ongoing security challenge for organisations that, by law, must protect sensitive personal data, such as customer names and records, from being leaked or lost. Whilst everyone makes mistakes, it's the organisations that are penalised, so they must institute robust strategies and technologies to ensure sensitive data is not inadvertently shared.
The chief advantage of a mobile device, which is that it moves with you, is the very root cause of the data security challenge. With the rise of the mobile workforce, the ease with which devices can be lost or stolen, and the risk that sensitive information will be exposed, are real challenges for the CIO.
Yet a complete ban on mobile working would be detrimental, if not impossible, so CIOs need to adapt their practices to ensure all the information is kept secure throughout the data lifecycle. When you add in the unstoppable move towards BYOD, you increase the risk and resultant challenges caused by supporting diverse device types.
Balancing the needs of staff with good security practices
Generally, data loss is a result of human error, rather than malicious practice by employees or cybercriminals. An unfortunate auto-complete in email addressing can cause as much damage as a malicious leak of highly-sensitive corporate data. Yet you have to balance the potential risk with the needs of staff and their ability to do their jobs remotely.
One way in which this can be achieved is to introduce a user-driven data-centric security policy which allows the creator of the information to classify it. The creator has full knowledge of its context and therefore the potential impact of its loss. This means the user's value judgement can travel with the data, so everyone handling it can see the importance of the label, and can be clear as to whether that data should be shared or protected.
Data classification solutions provide a safety net to help all users understand the value of the data and make more informed choices about how it should be distributed, enforcing data security policy and best practice across the organisation.
Looking back to our Obama analogy, it wouldn't make sense to secure The White House by never letting anyone in or out, or providing the same level of protection to the cleaners as you do for the President, yet this is often what happens when protecting information assets. You cannot simply put a firewall in place and stop all data from leaving the physical perimeters of the business – employees with the best intentions will only find ways around the obstruction in order to get their jobs done.
Instead you must have a tailored approach which allows employees to carry out their roles efficiently, whilst simultaneously protecting data. This means providing control over which messages can be synchronised to a mobile device, avoiding storing sensitive information on devices and crucially for BYOD, how to segregate the personal from the corporate data. Success in protecting data across multiple devices relies on a robust data classification system, which extends seamlessly from the corporate network to the mobile device.
The certainty of mobile data breaches
It's only a matter of time before we hear of a major data breach from mobile. It's important to recognise that data loss is impossible to stop whether it's data stored within the relative safety of the organisation's network or data flowing between mobile devices. As always, success will be measured in how you minimise, control and recover from the breach. With this in mind, it is time that the focus of good data security practice extends beyond the perimeter to VIP data assets wherever and however they travel.
- Martin Sugden is Managing Director of Boldon James