"Secure data access in a mobile universe" - Interview with the Economist Intelligence Unit

I was recently interviewed by a journalist,  Lynn Greiner, who was working on a paper for the EIU and we talked about data security, mobility and the ever-common phenomenon of BYOD (bring Your Own Device to work).  

The full white paper is here (http://tinyurl.com/a76vfow) but here are some excerpts:

Preventing the data from being stored on a mobile device at all is another strategy. Al Raymond, vice president of privacy and records management at Aramark, a US foodservice supplier, says authorised users who need to access company information remotely do so over a secure virtual private network (VPN) from their laptops or mobile devices. No data other than email are stored on the device itself, making it relatively easy to protect corporate data assets should the employee leave, or lose the device.

Some companies that have BYOD policies expect executives and employees to make sure they have necessary software on their devices, at their own expense. Others reimburse all or part of the cost of programmes required specifically for business. Proper configuration and good usage practices must be monitored and enforced centrally, Aramark’s Raymond says, adding that regularly reinforced security awareness training also keeps secure data access fresh in employees’ minds.

Aramark’s Raymond says his company takes an alternative approach to device-centric mobile security administration. Workers use the mobile device purely as a viewer, leaving company data on Internet-connected (remove this) securely accessible  corporate servers that do the heavy computing, and not on the device itself.

The average cost of a corporate data breach incident hit US$7.2m in 2010, according to the Ponemon Institute, a consultancy. That’s more than double the average cost in 2005. Mr Raymond thinks that these figures ring true, given the number and types of breaches, adding that there are hundreds of small incidents each year and a few major ones that may hit US$25m–US$500m.

Before the introduction of Aramark's formal mobile policy ten months ago, people had no defined rules telling them what devices and operating systems were eligible to be connected to the company network. With the new policy, entailing role-based access and approved devices and configurations, the company knows precisely who has access and to which data. "It's no longer a wink and a nod," Raymond says. The higher the visibility of your program, the more likely it will be adhered to.

Mr. Raymond says that, although his business doesn't require it, separate environments for business and personal use are important, but if the policies surrounding them, or any other security measures, are not enforced, there will be issues. He says he is always surprised, when speaking with his peers, at how much of security in large organisations is just "smoke and mirrors". The words are there, the enforcement isn't.