By Frank Jennings
Key issues raised by the report and the launch event, with speakers from ASOS, Blackfoot, Ramsac, and DMH Stallard included the pros and cons of Bring Your Own Device polices, the issues surrounding the deletion of data and the role of IT departments in moving businesses forward in an increasingly data driven age. The report is the result of a series of in-depth interviews with leading UK businesses in the engineering and technology sectors, including technology enablers and cloud service providers.
Discussions and debate revealed some reluctance and uncertainty from directors on how to adopt best practice to address some of the issues raised, which was attributed to a number of factors. Security, compliance and who to ask for a second opinion remain key obstacles to moving the businesses forward in terms of IT innovation.
Bring Your Own Device (BYOD) and Managing Mobile User Access
“Who owns the device, who owns the data and what is the risk for me?”
Both the audience and the panel were divided on the benefits of a BYOD policy allowing users to supply their own devices and the potential pitfalls that such a policy would bring.
BYOD offers employees and corporations countless business benefits from increased efficiency to controlled costs on providing a mobile workforce. The culture of BYOD is growing across all types of organisations, but can leave businesses open to huge potential risks if their security issues are not appropriate.
“Empower your staff, make them care and make them aware. Let your staff realise that their own personal data may be at risk if best practice and your policies are not followed.”
Attendees highlighted that businesses who embrace BYOD can gain significant competitive advantage. By creating an enabling culture, not only does worker satisfaction increase, and the consensus was that businesses are likely to get more out of their staff as a result. BYOD programs also offer the potential to shift costs onto the user, saving businesses additional expense.
However, attendees were wary of several issues with concern centred on the lack on control over the IT hardware and how it was used. One attendee stated that their organisation would be hesitant to develop such a policy as they remain cautious of the potential blurring of the lines between the professional and personal lives of their employees. Another stated the issues surrounding increasingly popular products, including iPhones and Blackberrys, may lead to data leakage issues. Businesses may be unaware that using these products may result in their data being stored in the US, opening business up to scrutiny under the USA Patriot Act, which the FBI can use to get access to companies’ confidential data.
Panellists highlighted that there was a need for a defined policy for BYOD which makes it clear what the expectations are from employees. Others highlighted the need for clear disciplinary processes to be put in place, so all staff are aware of the repercussions of ignoring policy. This should be coupled with making staff care about the data by explaining that their own personal data could be at risk too, with one panellist suggesting that up to 40% of data breaches are due to behaviour of staff. An issue highlighted by one audience member was the potential problem of retrieving company data should a worker leave. There should therefore be a joiners and leavers policy in place which governs how the data will be retrieved from the device, and who has what data. Several audience members pointed to the various virtualisation and partition services which are available to business in order to ensure control of data on an employee’s device. The services allow data to be controlled by the IT team and can allow the business to remove all data at any time.
Looking to the cloud
“Moving to the cloud may actually make organisations more secure than they already are. Security through obscurity is not a valid justification for keeping data on your own servers.”
Discussion focused on how cloud computing continues to promise to be a fundamental transition in the evolution of IT and business. Audience members cited benefits such as lower costs (dramatically reducing expenses for hardware, maintenance, and IT staffing), greater agility and better accessibility. However, whilst a move to the cloud can bring huge operational and financial rewards, discussion highlighted the complex and challenging under¬taking that requires careful planning and some deep thought about what the businesses priorities are.
Several panellists brought to light that organisations complying with standards such as ISO/IEC 27001, written 15 – 20 years ago may feel that they are secure, but in reality there may be huge gaps in their strategy as the standards do not always take into account the latest forms of IT usage and device, opening them up to severe business risks.
Deletion of Data
“How can you tell that when an external provider says your data is deleted, it really is? Can you ever be 100% sure?”
Several attendees highlighted the issues surrounding the deletion of data, and highlighted some cases of businesses’ discarded computer hard drives containing sensitive business and personal data.
There are many companies that deal specifically in data destruction. Panellists covered the key issues to consider when outsourcing this type of service, including making sure the service provider is properly insured and provides audit trails for each destroyed item, as well as ensuring that the business keeps its own audit log. It is also important to identify the kind of data stored on devices, in order to ensure that each item is treated appropriately. Bear in mind that there may be regulatory or legal requirements for information disposal depending on what data is stored on the disk. And, of course, the outsourcing agreement should contain appropriate protections for the business.
The changing role of IT teams and divisions in organisational approaches
“Look into the possibility of outsourcing to enable your IT department to innovate, rather than fire-fight.”
Internal IT departments are key to business success in developing the right strategic and technical data security solutions. One panellist commented that “when it comes down to it, your business success or otherwise is down to your IT department’s culture – it will be either enabling or empire building.”
There seemed to be a division in the style and approach to data security across the attendees’ IT departments. One attendee pointed to the need to take informed decisions and to ensure that business decisions are taken for the right reasons.
There seemed to be consensus that there was a divide in the market and that younger businesses seemed to be making the most of technology, whereas businesses which have been in the market for longer are more reluctant and are keen to see the results of the use of such developing technologies before adopting them.
The panel came to the conclusion that the following three point plan was appropriate to move forward with addressing business data security issues:
- 1. Segmentation –audit the data identify via what data you hold and who can access this data
2. Ramifications – what are the likely financial and reputational implications of losing this data and act accordingly
3. Personalisation – a one size fits all approach is not applicable and each business should take steps that best work for it.
The debate follows the publication of DMH Stallard’s recent report into data security.
To register to receive a copy of this report, please email firstname.lastname@example.org.
The report is in addition to DMH Stallard’s best practice whitepaper on cloud contracts which was co-authored with Cloud Industry Forum “Contracting Cloud Services – A Guide to Best Practice”. Previous reports have focused on IP “How Manufacturers Leverage IP to Create Value and Safeguard their Futures” and ethical business “How Manufacturers are Embracing the Challenge and Reducing their Risk.
About the Author
Frank Jennings, DMH Stallard, Partner and Head of Commercial and Chair of the Cloud Industry Forum. Frank Jennings is a lawyer specialising in cloud & technology, data security, intellectual property and commercial contracts. His clients come to him not just for his specialist legal advice but also rely upon him for his "can-do" mentality and his pragmatic approach to solving problems and managing risk.
Frank chairs the Cloud Industry Forum’s code governance board, blogs at TomiLaw.com and regularly presents on cloud and data security issues. Independent legal directory Legal 500 says he is "commercially minded" and a "clear thinker" and rates him #1 for Technology & IP.
About DMH Stallard
DMH Stallard are proud to work with some of the most innovative and successful organisations in the country, including major financial institutions, FTSE listed companies, private equity backed businesses and high profile public sector bodies. The firm continues to be recognised with industry awards and in 2012 was awarded the Corporate Law Firm of the Year at the prestigious Insider Dealmakers Awards.