Technology focus in securing BYOD is a mistake, say experts

Focusing on technology in trying to secure mobile devices is a mistake, say IT and legal experts

Focusing on technology when trying to secure mobile devices is one of the worst and most common mistakes businesses make, according to a panel of IT and legal experts at the London SC Congress 2014.

The nature of the issue depends on the business, but that means understanding the business and what specific risks apply, said Rick Doten, chief information security officer (CISO) at enterprise mobility firm DMI.

“Any enterprise cannot apply appropriate controls before it understands how employees are using mobile technology and it does a risk assessment to ascertain if there are any privacy issues,” he said.

Many organisations fail to define what they are trying to protect, said Paul Swarbrick, global CISO at legal firm Norton Rose Fulbright. “The biggest danger of BYOD is not understanding the risks,” he said.

“Security should not be about the technology; it should be about the data and protecting that data wherever it is used, and about educating employees to access data securely," said Swarbrick.

In many cases, employees are using new technologies but in old-fashioned ways, introducing new risks, he added. “Not all firms realise they need to evolve their business processes to keep up,” said Swarbrick.

“Technology solutions should be driven by the business; technology platforms should not be a requirement in themselves, but merely part of the solution to meet business needs.”

Doten said companies should aim to protect data on mobile devices to the same level that it is protected within the enterprise, based on proper risk assessments.

“But it is important to identify the data and the level of protection required before looking for the most appropriate controls to apply,” he said.

More on BYOD

Common failing

Another common failing is overlooking the importance of drawing up and enforcing policies to ensure businesses retain proper control of their data, said Ann Bevitt, partner at law firm Morrison & Foerster.

“Policies are key to success because they are an important way of ensuring that a company’s control over its data is the same on employee-owned mobile devices as it is on company-owned equipment,” she said.

But Bevitt warned of the danger of tracking employees using the geo-location data transmitted by their mobile devices. “Firms must be careful not to do this without notifying their employees,” she said.

Expanding on his position, Swarbrick said that essentially, when it comes to mobile solutions, security needs to become just another business requirement.

“If it is a business requirement, it will be captured at the start of the project and translated into the final solution rather than having to be added on afterwards,” he told Computer Weekly.

“Businesses need to recognise that security is increasingly a business function, not an IT function.”

Read more on Endpoint security