Losing a device - what's the big deal?

2009-10-19

(This talk was originally given at a CBR dinner club event in October 2009)

It shouldn’t come as a surprise to anybody, to know that mobility does bring with it a business advantage. Last time was asked that question a couple of years ago, two thirds of companies of all sizes consistently said ‘yes’ – and we can be reasonably confident that the figure will have risen since then. In the same study, a staggering 80% of companies permitted access to corporate systems from company-owned laptops and/or PDAs. And meanwhile, from the same research, we found that a quarter of companies saw the risk of exposure through device theft or loss was ‘high’ (and a further quarter as ‘medium’).

From our own experience, laptop theft is like car accidents – everyone knows someone who has been involved, but it always happens to someone else. As for phone loss – is there anyone who hasn’t lost a device at some point? I can think of hotel bar, roof of car, casino bar… is there a theme developing here? Actually, we do know from some more recent research – about 15 percent of respondents had personally suffered accidental loss or theft of ‘bag, keys, wallet/purse, phone, laptop’ in the six months that preceded the study. (And incidentally, 25% of organisations said they had suffered theft of corporate equipment in the same period – so it all adds up)

But really, the loss of a device doesn’t matter so much. Sure, there is the capital cost – you wouldn’t want to do it too often. From a corporate perspective, we know consistently from our research studies that the biggest IT-related risk involves the loss of business-critical information.

The problem only starts to surface when the two worlds collide. When I lost my Motorola flip-phone in the Fairmont San Jose, the most annoying thing was that I still had a whole bunch of connectors, chargers etc that immediately became redundant. When I left another device in the Venetian, it also contained my entire contacts, task list, recent email conversations and various other files. Fortunately I had put a PIN on the device – or rather, our hosted Exchange service had enforced a policy which set a PIN for me. Of this, more later.

But for now we have to face the fact that mobile devices are astonishingly capable of storing quite huge quantities of data. And it’s not just mobile phones either. When I was speaking to an IT Manager at IP’09 last week about disaster recovery policy, I asked him how much data was involved – expecting the answer to be in the Terabytes. “A few hundred Gig,” he said… that is, the amount of data that could quite comfortably be stored on an iPod.

It was so much easier in the mainframe world – have you ever tried to lose a mainframe? But these days, we have the combined effects of the gadgetry becoming increasingly easy to lose, coupled with the fact that devices can store exponentially increasing quantities of data.

The ‘so what’ becomes clear when we define what we mean by ‘business critical’. Private (and increasingly, public) organisations case about one thing the most: money. So, information loss matters for one of two reasons: if information is lost, either it’s going to prevent the business from making so much money, or it’s going to cost the business money to deal with the impact. There are mitigations for the former – organisations have a plethora of data protection mechanisms available to them (and if you want to know more, let me know and I’ll send you a copy of our next book when it comes out).

But the latter is harder to mitigate against. If a company ‘secret’ is released into the wild, it can be copied; if customer data is released, there is a compliance cost as well as reputational damage. Having said that, it does astonish me how blasé people are with their information – to be fair, me included. I believe T-Maxx actually increased sales having lost all those credit card details.

So, what to do about it? Well, there are a variety of technological measures that can be brought to bear – either to lock down devices, prevent information from being released without authority, audit where it has gone, remote-destruct the data and/or device (with just a whiff of Mission Impossible) and so on.

We know that this area is underserved – roughly half of the organisations we surveyed felt well protected against the kinds of inadvertent breaches they suffered as a result of theft or loss, compared to external attacks. While we know data leakage tools and technologies are not implemented to the same level as malware protection, this is also an indication that technology alone is not the answer. When we looked into this we found little between the challenges of dealing with the existing security infrastructure (i.e. plugging the holes), implementing appropriate policies/processes, or indeed making the necessary cultural changes to get the right tools and mindsets in place. These areas are all hard, though not insurmountable.

What the research also highlighted, were the places to start however. The absolute ground zero is understanding risk – we could paraphrase “knowing the price of everything and the value of nothing” to be “seeing dangers everywhere, but risks elsewhere”. In this context, the only important risks are business risks – that is, those that can impact an organisation and its dependents.

The second lesson we have learned is around policy. Draconian rules don’t work – they are tough to implement, difficult to enforce and impossible to keep up to date. So put away the superglue. We advocate a ‘minimum necessary’ approach – for the simple reason that if you can’t implement that, you don’t stand a cat’s chance in hell of implementing the maximum possible. Simple example: PIN numbers on PDAs (I said I’d come back to that!).

Finally, we look for cause and effect in our research, and one factor which surprised us in its effectiveness was awareness raising – in some cases breaches were being reduced by an order of magnitude in organisations that had some kind of awareness programme in place.

Security tools are just that – tools of the trade. All for it – but organisations who think that tools alone will solve the problem, are cruising in the fast lane with a blindfold on. When the crash happens, it won’t matter how good your airbags are.