Earlier this week I gave a talk to Intellect’s excellent Security and Privacy Group on the subject of how to manage the risks associated with portable devices. It’s a hot topic because the risks are growing and they’re very difficult to manage.
Portable devices are getting more powerful and proliferating. It’s an unstoppable trend. As Neil Gershenfeld of MIT Media Lab observed many years ago, there’s a tendency for computers to progressively de-fragment. They keep getting smaller, more numerous and better connected. We’ve moved from mainframes to minis, to micros, to laptops, to PDAs. Personal area networks are next. Eventually we will be working with clouds of smart dust.
At the same time the business environment is changing. Powerful trends such as consumerisation and social computing are reducing the influence of business interests in new product design. Criminals are more inclined to steal and exploit personal data, rather than just the devices they reside on. Legislators are forcing organizations to come clean about losses of personal data. And the increased use of casual staff and the erosion of long term career prospects means that we can no longer assume that all users have the interests of the organization in the forefront of their minds. Put all of this together and we have a ticking time bomb. It’s more of a question of when, rather than if, an organization will experience a major loss of data.
Portable devices present many risks. They massively increase the potential attack surface area making it easier to steal data or gain unauthorised access to corporate networks. They encourage users to hoard, carry and steal large amounts of information. And they are easily lost, stolen, overlooked, overheard or intercepted. Thousands get left behind every week in London taxi cabs.
What should be done? In my view, organisations must bite the bullet and establish an effective enterprise programme. Like most things in security, it requires strong policy, good communication and smart use of technology. Policy is also part of the problem, as many acceptable use policies are becoming unwieldy and ineffective. Communication is a powerful tool. Royal Mail Group successfully stemmed their laptop losses through security awareness campaigns. Technology is essential because we can’t rely on people to always get things right. But it can be difficult to implement. Encryption of data needs to be carefully thought through. Otherwise it can present as many problems as it solves.
There are no quick fixes when it comes to security portable devices. It requires a long term, strategic approach.