Bring your own device or bring your own demise?

Research conducted by Varonis, has found that half of companies have lost a device with important company data on it, furthermore the report details the obsession as it puts it that the workforce have with remote devices.

Well this obviously raises concerns over the security of business and personal data alike so David Gibson VP of Strategy at Varonis is here to tell us more.

For more related podcasts click here.

To subscribe to receive new podcast episodes for free click here.

Firstly David, tell us about Varonis and why this study was relevant to you?

Varonis was founded in late 2004 and started operations in early 2005 and our founders were storage experts and came from Network Appliance. We have really helped organizations manage and protect their unstructured information so that’s the information that lives on file shares or in their intranets, or their email. Our goal is to make sure that only the right people have access to the right data at all times and that all use is monitored and that all abuse is flagged and that people are able to access that data from the right devices and that once that data is no longer needed it gets archived or deleted appropriately.

Give us the top headline figures that this report has revealed then?

I think that what we have seen is that the nature of collaboration is changing. First of all digital collaboration is in the mainstream and almost every organization is data driven. If you think of business process today everything from customer relationship management to human resources information everything at some point gets down to some kind of digitised format even your voicemails are now digital. The format of our collaboration of our business is digital and as we can see the ability to access that digital information is paramount. People want access to their email, files and other services from any device from anywhere from wherever they are working and it seems like also for any time of the day even during meals as our research indicated. That is why it is relevant for us because we deal with digital assets and collaboration. We wanted to observe the habits that people are forming and living with these days.

Your report is entitled Bring your Own Demise? Is the problem really that serious?

It really depends on the value of the information that we are talking about. They say that every day a disaster starts with an email these days. If you think about if you have a Smartphone, do you access your emails from your Smartphone? If you left that device in a pub and you did not have it password protected what would that mean for you personally? Think about it in those basic terms for people that use their mobile devices for work. You have customer lists and potentially your business plans, blueprints, property details. All these are things that you want to access from those devices. Many organisations I am sure are restricting what people can access from which device but from our research you can see that there are quite a few security implications and organisations are definitely feeling the effects of disseminated information that is in a device that is not necessarily locked out.

Were there any surprises in the attitudes of workforces towards security on things like smartphones from the conclusions of you report?

I am not really surprised that not all the devices had protection on them but I think that the message is that we need to start thinking about all the different places that our information lives and how valuable it is. We really need to start to make sure that basic fundamental controls are around the information no matter where it lives.

What sort of encryption, password and other security measures are people using already and are they enough?

If you take a look at some of the research that we have done over the past year or so. There are some basic fundamental controls that are not as widespread as we might think they might be. A lot of organisations, (if you take a look at our state of data protection research) don’t really know, or are not confident that they know where their critical information is stored. It is not just their own information that is stored it is actually information from their business partners, customers and third parties.

Information that they have a responsibility to protect and they don’t know where it is stored. Other controls that are missing include the fact that very few organisations audit all access and they don’t necessarily review who it is that has access regularly. They also don’t know where the information belongs or who it belongs to, so they don’t have an owner assigned to that information. If you want to know where can we augment our controls I think there is going to be the basic controls around this information.

Does the report go as far as to offer some advice for organizations and their mobile device obsessed workforce to limit the potential risk?

At the conclusion I think that the first thing is to understand what is and what is not allowed. There is statistically difference in the companies that have and don’t have a BYOD policy but it is important to start educating your employees about what is allowed to be on those devices and what is not allowed to be on those devices. I think that to start with, employees need help to understand the value of the information that the organization has and what the controls are that they deserve and I think basic controls around your devices and once you make sure that the device doesn’t contain anything it shouldn’t contain then lets add additional controls like password protection, encryption, remote wipe potentially.

Years ago if a member of staff had taken important documents from the office and spread them out across the table in the local pub it probably would have been frowned upon, but essentially that’s the situation we have with mobile enterprise isn’t it, we are carrying all this sensitive information around with us?

That’s true and I think that there is a fine line between productivity and security. It is very clear that we need to collaborate in order to function. We need as we have said organizations which are data driven now. If you didn’t have access to your email or intranet or your file shares your productivity would plummet and so it is important that we are able to collaborate but we need to collaborate securely. Making sure that we are conscious about the information we are storing and where we are storing it, who has access to it and who is using it and making sure that we have the fundamental controls in place to spot where sensitive data is exposed to risk where people might be abusing their access, or just have too much access. Those are things that we need to make sure that we adopt wherever our critical information is stored.

Do the advantages to business of being able to have their workforce working remotely and on the move still out-weigh the potential risks or is it a risk that’s perhaps simply not worth taking?

I think that that is the choice that every organization is going to need to make and they are going to need to make it with respect to their own digital assets. It may be that some assets really should never be accessible outside of the organization. It may be that some are acceptable but I don’t think there is a blanket statement that you can make about what risks an organization should be willing to accept. I think that each organization is going to have to decide where are their critical assets and where should people be allowed to access those assets. What is acceptable use and how can we control our environment.