In the press: How breaches are paving the way from BYOD to CYOD policies

/ IT Security Services
December 4th, 2014

BYOD breaches

Cyber-security has returned to national front pages again this last year. Heartbleed & CyberVor are now common terms, whilst high profile breaches of the likes of major digital retailers eBay and Apple raise very big questions about security in the digital age.

What does this mean for field service companies who not only hold vast amounts of customer data, making them prime targets for hackers, but are also moving their mobile workforces swiftly to a digital environment where they can reap the rewards of better productivity.

As news broke of the World’s largest-ever data theft conducted by the Russian cybercrime group dubbed CyberVor we once again turned our attention to the question, “are our companies safe from cybercrime?”

All businesses with a digital presence waited with baited breath to learn if their users were affected by this reported attack. In some quarters people denied that an attack of this magnitude was even possible and questioned the validity of the claims, others saw it as a defining moment demarcating the size of risk we all face today.

“It’s a nasty reminder of the cyber risk threat which organisations face in 2014 and the need for boards to be prepared for attacks such as this.” Commented James Mullock, Partner at law firm Osborne Clarke.

Daniel Hedley, solicitor and technology specialist at Thomas Eggar LLP agrees, “From a business perspective, the key issue here is simply this: Who has your data? How much do you trust them to keep it safe? Businesses can face significant legal and reputational risks when they lose data, both under data protection legislation and under contractual confidentiality obligations such as NDAs. It’s therefore very important for businesses to know where their data is.”

Of course, perhaps the highest profile security breach in recent months is the failure of Apple’s iCloud, which even left a dark shadow over the launch of the latest iPhone.

Robert Rutherford, CEO of IT consultancy QuoStar commented: “The theft of personal photos from celebrity accounts has focussed the spotlight on the company’s approach to security, and has raised concerns”

“The problem is that whilst dispensing token security improvements with one hand, Apple has denied any responsibility for the breach with the other. The resulting image is one of a company that deliberately avoids transparency around its security practices and glosses over its mistakes.” Rutherford continued.

But whilst leaked photographs of naked celebrities doesn’t instil confidence, Apple’s iCloud is a consumer based storage so how does this impact the business community?

Businesses can control these risks, while still maintaining many of the benefits of cloud storage services and BYOD, by deploying a combination of technical measures preventing unauthorised uploading of business data.

As Hedley explains “While it is true that businesses will not generally choose a consumer-focused cloud service such as iCloud, in this age of staff using their own devices for both work and personal use, it is very easy for confidential business data to end up being uploaded to these services, without the IT department or senior management finding out about it until it’s too late. iCloud, in particular, can be problematic in this area because Apple’s devices will often back up everything on the device to iCloud by default.

“From a hacker’s point of view, a failure of iCloud brings richer pickings. There would be a lot of work involved in hacking into many individual machines whereas a security hole in iCloud would mean that millions of pieces of information would become available at once.” Professor Mike Jackson from Birmingham City University stated.

“Whenever you place information on a computer, that information becomes less secure. If you connect a computer to the Internet then the security risk grows. If you store information on a cloud service then you rely completely on security measures of the service provider. Once in the cloud, it’s these security measures which make the difference between privacy and the whole world being able to access your documents and pictures.”

Unregulated BYOD is an issue facing IT professionals the world over. As Matt Newing CEO of unified communications provider, Elite states “IT teams worry about losing control of IT, as employees all over the business connect personal devices to the company network, download software and applications and turn to cloud services”

Hedley added, “Businesses can control these risks, while still maintaining many of the benefits of cloud storage services and BYOD, by deploying a combination of technical measures preventing unauthorised uploading of business data (using technologies such as MobileIron) and user education.”

Recent research from Samsung found that 47% of UK companies had a work handset lost or stolen in the last 12 months. Almost a third of CTOs were however unaware of the number. Alongside this, a global survey of CIOs by leading analyst Gartner found that as many of 38% of companies plan to stop providing their workforce with devices at all by 2016.

“Laptops, mobiles and tablets can cost many hundreds of pounds per year for each employee, so BYOD has become very attractive. However, far from enjoying the flexibility and lower costs, companies that rush into BYOD without a strong policy face considerable risks,” said Hardeep Singh Garewal, President – European Operations, ITC Infotech.

“For unprepared companies, a lost or stolen device represents a catastrophic security risk, with the potential cost to their business far outweighing the savings. There are many solutions available, but we see many companies failing to implement a clear policy on keeping track of work devices. This hinders them from acting quickly to prevent breaches,” adds Garewal.

However, the new movement towards Choose Your Own Device (CYOD) offers an alternative solution that addresses both security and personal data concerns. This approach ensures the company retains full ownership of the device, removing uncertainty in safeguarding information on the device, yet still providing user freedom.

Garewal concludes: “While CYOD means the company must ultimately foot the bill for the device overhead and support, the level of control and assured visibility vastly simplifies issues around privacy and security. However, whether they use BYOD or CYOD, companies encouraging flexible working must ensure they are prepared to deal with imminent risks or spend all of their time fire-fighting to avoid major crises.”

Source: Field Service News

NEXT>> 10 quick ways to stop BYOD from being a burden