Technology and data security were the topics de jour last week at the PwC-hosted Boston KnowledgeNet. As privacy professionals seek the best ways to combat data breaches, many are looking at different methods to protect their information assets - whether through privacy-enhancing technology, strong encryption, or robust bring-your-own-device policies.
All of those security measures, however, have the potential to be undermined in the simplest way possible: human error.
Ken Mortensen, CIPM, CIPP/G, CIPP/US, , senior managing director at PwC, Peter McLaughlin, CIPP/US, counsel at DLA Piper, and Avi Berliner, manager at PwC, discussed how human error can thwart the most sophisticated security techniques.
“We can plug any port in the firewall. We can implement any device to capture the information. The weak point within any organization is the people,” said Berliner. “It’s not that we don’t trust these people. It’s just that people are human.”
Berliner highlighted mobile device security as a particular example where human error comes into play. An organization can implement the strongest mobile security procedures imaginable, but all it takes is for an employee to take a picture, send an email, or even walk out with information to render those protections useless.
Mortensen shared an example he once saw of a company attempting to secure information by placing white text on white backgrounds within PDFs sent throughout the company. Since the text is still in an electronic document, it was still easily discovered and represented a instance where an attempt to safeguard information needed more than a half-measure. While barriers can be implemented, Mortensen said, smart individuals will always find a way to work around them.
Another major topic touched upon was the difference between iOS and Android security frameworks and their effect on BYOD policies. While Apple’s operating system functions as a closed system, Android is open-sourced, allowing users to dictate how the system will function. Having multiple mobile operating systems - one of which is open-sourced and infinitely variable - can make BYOD policies difficult to enforce. While companies can vet certain models and vendors, having these multiple versions of an operating system can make it challenging for organizations to feel comfortable with employees using their own devices.
“It’s woefully insufficient to just check the security of the app. While you may be fine vis a vie the app on the iPhone, Android and the Android operating system comes in so many different flavors,” said McLaughlin. “If you are creating an app that’s going to be connected to your home security system, you really want to know that the app is going to be secure for your users regardless of whether they are using iOS or any flavor of Android.”
Mortensen said vetting vendors and devices allows for the distinction between corporate liability and personal liability. PwC has a BYOD policy, but Mortensen makes sure his personal and professional worlds remain separate. He showed off his two smartphones to the audience, saying while his kids don’t understand why he needs two devices, he felt far more comfortable with his current setup.
The presentation also covered the differences between personally owned devices, corporate-owned devices, mobile consumer applications and mobile corporate applications.
Personally owned devices contain applications, preferences and settings that carry more risk than those seen on corporate-owned devices. Organizations have more control over devices they own, but they also come with a cost. It takes time and resources for an organization's IT team to pre-vet such corporate-approved devices. Berliner said that cost plays a big role in whether a company will create a BYOD policy, as some corporations may not invest in ensuring all devices are secure.
Mobile consumer apps are created by businesses to boost productivity and employee satisfaction, but also must be vetted by the company’s security department. These apps create risk by allowing access to sensitive consumer information. Mobile corporate apps also heighten productivity and satisfaction, but are internally facing. These apps access sensitive company data - including executives asking to access data such as company financials - creating another security risk companies need to address.
Another way strong security features can be weakened is through a device’s password options. McLaughlin was highly critical of passwords, saying he focuses on password rotation and complexity. At one point, he held up his iPhone, showing attendees the device’s lock screen. McLaughlin noted the screen had the numeric keypad, and four dots above it, meaning his password is a finite amount of four-number combinations. One way to make passwords more effective is to add letters and capitalizations, making the amount of combinations “exponentially” higher than a four-digit numeric code. The simplicity of a password can render any encryption efforts moot.
“When people are looking at the sophistication of encryption, it’s not a magic bullet, because it can be undermined," said McLaughlin. “It can be undermined simply by Peter’s thumbprint, or Peter’s six-digit code.”
With technology continuing to advance, privacy professionals need to take a step back to make sure simple measures are in place for systems to thrive against hackers and data breaches. Whether it’s educating employees, creating robust BYOD policies, or rotating passwords, privacy professionals’ best bet may be within.
If you want to comment on this post, you need to login.