RiskUKOctober2017

More documents

Recommendations

Info

‘The Perimeter’, as it was once known, is quickly going the way of the Dodo. Between Bring Your Own Device schemes and the mass migration to the cloud, IT security professionals can no longer rely on the boundaries of their network to be the true borders in their area of responsibility. That being the case, where do they go from here? Adam Jaques offers his take on the matter Left To Their Own Devices Quite predictably, Bring Your Own Device (BYOD) refers to a policy of allowing employees to literally bring their own devices into work and use their employer’s network in order to do their job. It might prove to be a headache for IT professionals inside the host company, but has clearly been quite attractive to management, who often see an opportunity to save money, increase productivity and, ultimately, streamline the working lives of their employees. This poses tough questions for security professionals. They’ve every right to be worried, too. A panoply of studies show that, time and time again, human error is so often the prime cause of a breach. Further, recent reports have indicated that personal devices on corporate networks are behind many insider threats. In short, BYOD serves up a whole new salad of security variables for IT security professionals, many constituent elements of which may seem tough to digest. The moving parts that a BYOD policy introduces confront IT Departments with a variety of devices, brands and users and a veritable kaleidoscope of data that can be difficult to manage. You’re not only adopting your employees’ devices, but often the services and Apps that they regularly use as well. Let’s be clear that BYOD isn’t going away anytime soon. The corporate perimeter is already heading out of sight. Workforces are increasingly mobile and dispersed with the rise of networked technology and the proliferation of ‘Work at Home’ policies. It’s a trend that will be hard to fight. A study by analyst Gartner shows that, by the end of this year, 50% of companies will require employees to use their own devices for work-related tasks. BYOD: the central considerations So what do organisations need to think about on the path towards BYOD? Compliance considerations must come before the first draft of any BYOD policy. Industry regulations and standards must be understood along with the issues that concern your specific sector when it comes to IT. In the healthcare sector, for example, BYOD policy needs to take into account the great wealth of intimately personal data that will flow through users’ devices. For engineering, the policy must recognise the value of the Intellectual Property with which members of staff are engaged on a daily basis. All of this becomes especially important for European organisations, who will soon face the daunting compliance challenge of the EU’s General Data Protection Regulation (GDPR), which comes into effect in May 2018. The raft of requirements it will introduce are all backed up by a hefty 4% penalty on global revenue for particularly delinquent proven offenders. Survey results published by Strategy Analytics have shown increasing fears around BYOD on the part of European businesses, with 10% of those professionals quizzed suggesting they expect the use of BYOD-enabled tablets to decrease with the advent of the GDPR. The GDPR need not become a hindrance to BYOD adoption, but it does mean organisations that want to allow mobile IT will have to be all the more diligent when it comes to implementation. Even if drafting a policy proves cumbersome, not having one in place will not stop employees from using enterprise IT on their own devices. It will merely leave the business without a structure to accommodate this and risks compliance problems at some juncture further down the line. Opening up to risk “There are always going to be some businesses for whom BYOD is inappropriate,” explained Vince Warrington, founder of Protective Intelligence, a consultancy that advises companies on security. “There are always going to be people who struggle with not being able to take their work laptop home, especially if they need to work late or across a weekend to meet deadlines. What they’re more likely to do is e-mail their work to themselves, thus opening up the enterprise to security risks.” 24 www.risk-uk.com
Mobile Technology: Risk Management for BYOD and The Cloud Warrington continued: “It’s that balance of making sure you have the security right. If you don’t put some kind of policy in place then people will work around the situation in any event. They’ll find a way. Your workforce is like water in that it will always gravitate towards the path of least resistance. If you turn around and give people in your working environment the kind of workloads where they’re having to operate from home at weekends or while on the move then you must accept the fact that, unless you put proper rules in place, they’re going to do whatever works best for them.” Core to the introduction of a BYOD policy will be to give users access to the processes they need to do their jobs. This involves more than just securing endpoints in the right way. Steve Armstrong, a SANS Institute instructor, advises against relying purely on endpoint solutions, and instead to “think about controlling your data before it’s sent to the endpoint.” You need to think about what data you’re replicating. Is it reliable? Is it secure? Does this person actually need access to that data? “It’s good to have endpoint security,” stated Armstrong, “but don’t think you’ve just outsourced the problem.” EMM comes into play That access needs to be managed and enforced with what’s known as Enterprise Mobility Management (EMM). EMM helps to prevent unauthorised access and establish acceptable behaviour for mobile IT, partition accountability and address the problems of lost and stolen devices as well as what to do when an employee and an employer finally part ways. The simplest EMM solution for the widest range of devices will be the one that works best. To be sure, any solution that’s too complex or restrictive is doomed to failure. Back in 2014, another study by Gartner predicted that 20% of all BYOD policies would fail due to overcomplexity. Access management must be disciplined. People (including guests) and devices that don’t require access to areas of your business should not have access. It’s as simple as that. The proliferation of admin rights for regular users across global organisations is a regular cause of security breaches. Some EMM solutions make good use of container security which effectively separates the data of employees and enterprises, even when working on devices that are brought in from home. Network access control solutions and strong SSL VPNs will be critical to the adoption of BYOD, affording users access to what they need while protecting the business from security “Survey results published by Strategy Analytics have shown increasing fears around BYOD, with 10% of those professionals quizzed suggesting they expect the use of BYOD-enabled tablets to decrease due to the EU’s GDPR” risks. Bear in mind that technological solutions are necessary, but not quite sufficient enough for an effective BYOD policy. Humans may be your weakest point, but they’re also your most critical aspect. They’ll need to be educated about security cleanliness, what they can and cannot do on a company network and how they might work not only efficiently, but also safely. Employee perspectives When looking at the issue from the point of view of the business itself, it’s easy to forget about the perspective of the employee. The benefits of a BYOD policy cannot be taken as a ‘given’ when it comes to employees. They need to be assured that their privacy will be respected, just as employers would expect their security policies to be observed. Moreover, finding out what employees want and, just as importantly, what they actually need from such a policy will only serve to create a more agile and workable document which is easier to stomach. Much of this comes down to education, itself a fundamental aspect of implementing BYOD. Education is absolutely critical to the future safe working of BYOD within your organisation. In essence, BYOD has to orbit around the very subject of a BYOD policy: the user. Here, simplicity is king. Complex policies will mean inefficient working, blocks to productivity and hard-to-follow instructions. They’ll merely increase the likelihood of the user finding some way of circumventing a cumbersome security policy and possibly opening up your organisation to compromise. What about the future? Looking ahead, new developments are being made in BYOD that will allow the introduction of Artificial Intelligence in workplaces, thus removing much of the scope for human error that BYOD sometimes risks. Bring Your Own Bot (or BYOB) has been touted as the future iteration of BYOD, with the arrival of intelligent personal assistants like Amazon Alexa. BYOD provides a new challenge to security professionals and one that’s not entirely avoidable. However, a forward-thinking BYOD policy will plug security holes far more effectively than if you choose to ignore them. Adam Jaques: Technologist at Pulse Secure 25 www.risk-uk.com
Page 1 and 2: October 2017 www.risk-uk.com Securi
Page 3 and 4: October 2017 Contents 33 In Search
Page 5 and 6: Texecom Connect App New smartphone
Page 7 and 8: News Update Biometrics Commissioner
Page 9 and 10: News Analysis: UK-European Union Se
Page 11 and 12: News Special: Cortech Open Innovati
Page 13 and 14: News Special: NAHS Annual Conferenc
Page 15 and 16: Opinion: Crowded Places Security an
Page 17 and 18: Opinion: Mind Your Own Business Acc
Page 19 and 20: BSIA Briefing Preventing injury in
Page 21 and 22: They see a well secured airport. Yo
Page 23: Security in the Built Environment a
Page 28 and 29: Data Centres: Security and Fire Saf
Page 30 and 31: Advertisement Feature “We take po
Page 33 and 34: Access Control: Developments in Bio
Page 35 and 36: The New Camera Line Mx6 Creates Mor
Page 37 and 38: Manufacturing X-ray Machines in the
Page 40 and 41: Counter-Terrorism: Security Screeni
Page 42 and 43: A Touch of Retail Security Therapy
Page 44 and 45: Healthcare Sector Security: Body-Wo
Page 46: Healthcare Sector Security: Access
Page 49 and 50: Advertisement Feature Inner Range
Page 51 and 52: Advertisement Feature expander, ELM
Page 53 and 54: Mail Room Security Management: Syst
Page 56 and 57: Meet The Security Company This is t
Page 58 and 59: www.coie.uk.com Cortech Open Innova
Page 60 and 61: The Security Institute’s View a c
Page 62 and 63: A 21st Century Crisis: What Does It
Page 64 and 65: Qualifications: The Future of Fire
Page 66 and 67: An Exercise in Logistics Company wa
Page 68 and 69: Visual Hacking: Combating Mobile an
Page 70 and 71: Raising Standards: A Commitment to
Page 72 and 73: Risk in Action Business process enh
Page 74 and 75:
Technology in Focus Gallagher Secur
Page 76 and 77:
National Association for Healthcare
Page 78 and 79:
Appointments Tom Brookes Tom Brooke
Page 80 and 81:
Best Value Security Products from I
Page 82 and 83:
THE UK’S MOST SUCCESSFUL DISTRIBU
show all

RiskUKOctober2017

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?