As president, Bill Clinton sent only two email messages. George W. Bush didn’t send any. But Barack Obama, who took office in early 2009, put an end to that trend. As the world’s most famous “CrackBerry” addict, Obama famously quipped: “They’re going to pry it out of my hands.” Turns out, they didn’t, but Obama’s BlackBerry isn’t like your or mine, it comes equipped with layers of security that would make Jack Bauer jealous.
But what if you’re not the President of the United States? Many of us get used to a certain level of convenience with the devices in our private lives and, like Obama, want to enjoy the same at work. This situation, played out tens of thousands of times a day worldwide, is becoming an issue that simply will not go away. In the UK alone, says PricewaterhouseCoopers, security breaches are costing billions, and mobile security is a particular concern.
This past February, Route1 (TSXV:ROI), a Toronto-based provider of security and identity management, publicly commended the U.S. Air Force on their decision to cancel an order of iPad 2’s, citing the “…real and material risks if the appropriate diligence is not performed in establishing security protocols first.” Cantech Letter talked to Route1 CEO Tony Busseri about the increasingly perilous environment enterprises and institutions face in securing their data, and why bringing that iPad to work might be a terrible idea.
Tony, do you think enterprises and institutions are taking security too lightly?
Good question. I believe that governments are taking their cybersecurity more seriously than others, and commend the recent increased emphasis placed on this matter. But there is a long way to go! Several entities across North America, in both the U.S. and Canadian governments, should be applauded for their forward thinking approach to empowering mobile computing /teleworking with easy-to-use technology that lets the user do their job effectively while offsite, and protects the integrity of data files and information by ensuring it remains secured behind the enterprise’s firewall. However, when organizations, government or private business, allow users to extract data from the network and store it on an external device, they ask for trouble and open the door to attack. Considering the myriad of breaches that dominate the headlines each day, any organization that does not follow this simple protocol is clearly not cognizant of the catastrophic consequences of their actions. The recent RSA breach, for example, could possibly cost the banking industry close to $100 million.
This story is brought to you by Cantech Letter sponsor BIOX (TSX:BX). The largest producer of biodiesel in Canada, BIOX’s proprietary production process has the capability to use a variety of feedstock, including recycled vegetable oils, agricultural seed oils, yellow greases and tallow. For more information CLICK HERE.
What solutions do you think large institutions should be embracing for their mobile needs?
Remote workers must have easy-use, convenient tools that provide them with an identical user experience to that when they are in the office, with one exception: no data should be allowed to exit the enterprise firewall. Adherence to this principle eliminates any risk of cache, file transfer, middleware or footprint on a guest PC. When employees work on the road, they most often use the public Internet and their personal devices such as a PC, laptop, tablet or smartphone, which means that sensitive company data and information is not safe behind the company’s firewall, but instead is quite vulnerable to a never-ending range of security breaches. At Route1, we believe in Identity Management: the principle of assuring the identity of an individual, not a PC, tablet, smartphone or other device. Technology must ensure and protect the integrity of all data files and material.
The media of late has been quick to point out that large companies such as Halliburton have switched their staffs from BlackBerrys, which are encrypted, to iPhones, which are not. Do you think this is a mistake?
It all honesty, it depends on what each company allows their employees to do with their devices. What information are they able to access and can they download it externally? Regardless of device, secure remote access must be founded on the premise of multifactor authentication: something you know, such as passwords, PIN, etcetera and something you have, such as hardware that is separate from the guest computer and a CAC card. Earlier this year, we issued a public announcement commending the U.S. Air Force Special Operations Command for cancelling their plans to use the iPad2, which were intended to serve as electronic flight bags, storing digital versions of paper charts and technical manuals. The use of commercial off-the-shelf tablets and other mobile computing solutions, including smartphones, can pose a serious risk for any military or business organization with data being stored outside of its network. Once outside the network, good data security relies partially on the underlying security of the device the user is using as their remote interface.We strongly believe that any solution based on removing data from behind the organization’s firewalls has substantive risk with data integrity.
Route1 is an emerging player in digital security and identity management. What are some the problems you deal with when addressing the needs of large institutions with sensitive data?
Every deployment is unique and has its own challenges and requirements. The one unifying factor, however, is the need for enterprise-wide acceptance that at its core, effective security begins with sound policies enforcement and management. From government to business, let us assume that everyone understands and agrees on the need for data protection. However, very few organizations have looked at their policies and procedures to determine if their actual approach to protecting data is consistent with their stated approach. Consider, for example, a law firm. Have you ever tried to walk into a law firm’s office without an appointment? Impossible. Have you ever tried to get a lawyer to talk about his client? No luck. But you would be surprised to know that several law firms allow their lawyers to save confidential client information on their computer’s local drive and/or the firms use remote access tools that have low-level or no user authentication, no entitlement management tools, and minimal, or no, data protection. There is no such thing as perfect security, but that is no excuse for the inadequate protocols and technologies being used more often than not.