Last week was the UK&I McAfee Customer summit, where 400 odd customers turned out at Chelsea Football Club to hear the great, the good and the unpronouncable from McAfee discussing what the future looks like if you sign on the red dotted line. It was, by any standards, a belting event and the two guest speakers Gyles Brandreth and Dame Stella Rimmington both had the place either roaring with laughter or wondering really if this was who ‘M’ was based on. I’ll leave you to decide which way around that worked.
I was running one of the breakout sessions, and for my sessions, I looked at a future strategy for McAfee Public Sector, and the environmental issues we face in our world
As usual, I tried to chuck a few controversial statements into my talk, mainly to make sure people were paying attention. And as usual, one phrase caused more discussion than most
I had in bold “if you can’t secure it, you shouldn’t use it’. Obstensively this refers to BYOD, but more generally, any kind of technology where corporate data resides or where it is at risk of interception or leakage. We discussed various real cases where Security staff are put in a position of being coerced into letting staff use unsuitable machines on a network.
And so the question is – how do we stop it? Its a bit like trying to stop your kids swearing. We all know your average 13 year old schoolkid uses bad language in the school playground that would put Malcolm Tucker to shame. We know this to be true because we’ve all been there, and enjoyed the thrill of naughty words. The trick as responsible parents is, what to do about it? Do we ignore it, and hope they don’t bring it home and use it front of Aunty Lyn? Or do we deal with it head on? Those of you with a more discplinarian streak will feel that head on is the best approach, but honestly, when they are out and about, will they care that you’ve given them the third degree at the dinner table? Alternatively, the more libertarian amongst you may decide that telling them not to do it and hoping they grow out of it is a good approach (they won’t – go to a football match or the pub to hear grown ups swearing en masse).
Similarly, in a simple world, telling staff that using their iPad is dangerous for infosec reasons will generate a lightbulb moment and staff downing their tablets. Sadly, as Nadine Doris is about to find out, the world is not simple, and a simplistic outlook may well backfire
In our discussions at the Summit we did reach a consensus, in that we might as well be trying to hold back the wind holding back BYOD. So the trick appears to be, secure the data, not the device. At least if you can do this, as well as making a good attempt to secure the device too, you can give yourself a fighting chance.
The solution appears to be layering technology to deal with the different threats: user-bought devices need to be identified and tagged, data needs to be moved around securely and probably encrypted, DLP needs to be deployed to control access, and as Dame Stella said, acknowledge people are your weakest link and work on them. Anything less than sensible measures deployed will mean you will lose control of your data. A positive approach, accepting you cant stop BYOD happening, including some emphasis on staff understanding the risk (if not the specifics of the technology) and giving informed consent appears to be the only approach that has a hope of working.
Otherwise you are going to end up with a whole pile of missing data, and all of us doing our best impression of a 15 year school kid’s swearathon