SINGAPORE--Despite the increasing use of personal devices at work, most organizations in Asia still do not have proper policies in place to govern bring-your-own-device (BYOD) adoption and are issues around data management remain unaddressed.
These were some observations highlighted by participants in a ZDNet roundtable discussion, which included representatives from the hardware, software, and services martket segments.
Ng See Sing, head of business application services at Singapore-based systems integrator NCS, noted hesitation among organizations in Singapore to embrace enterprise mobility due to security concerns, since it involves devices that belong to employees.
Companies are also anxious about budget needed to support enterprise mobility as expectations will expand beyond simply the front-end apps, and they question if it will really lead to productivity gains, Ng said. Such questions are still not properly addressed, he said, so enterprises avoid jumping into BYOD and remain behind the curve.
Jimmy Sng, committee member at Singapore's Association of Information Security Professionals (AISP), also noted that mobility occur "accidentally" for most companies and many do not know how to deal with it.
"The strategy, the support, the sustainability [of enterprise mobility], and more importantly the security, are an afterthough and not what they plan for," said Sng, whose day job sees him as partner in technology advisory practice for PricewaterhouseCoopers (PwC) Singapore.
Guido Crucq, general manager for security solutions at Dimension Data Asia-Pacific, pointed to data replication as the cause of a key security hole. "Data is now put everywhere. There are different instances of the corporate e-mail [on the desktop, tablet, and mobile phone]," he explained. "We also bring in our own applications [such as] backup software, and note-taking software. The data goes everywhere and there's no proper SLA (service level agreement) in place."
Crucq also pointed to unmanaged devices as key security hole.
Pratyush Khare, technical director of archival solutions at Hitachi Data Systems (HDS) Asia-Pacific, agreed. Citing an internal survey, he said employees would still use DropBox even if it was banned in the company because it is convenient.
Khare also noted CIO concerns about how data can be kept safe in the event of human error, and whether the company has the perogative to remotely erase data in a personal device in cases of theft or loss. "Can [the IT department] do a remote wipe when the device is owned by the employee. Who owns the data [in this case]? If the IT dept wipes the data on their device, would the employees accept it? These are the things that worry CIOs when we talk about BYOD security," he said.
Sng said organizations need to learn to deal with "true mobility" which results in "porous" infrastructures where a lot of data, which is of high value to the company, are leaking out.
Khare added that an enterprise mobility strategy should encompass a combination of technology, processes, and people.
Safer alternatives, user education
Oh Sieng Chye, virus researcher at secuirty vendor ESET, said: "It comes down to the human. Constant and consistent security awareness in the enterprise is very important. At the end of the day, it's the human who leaks the data."
Khare urged organizations to provide safer alternatives instead of simply banning them from using third-party apps. "We need to tell employees that if this apps is helping you make your life better but is not safe for use, we will give you an app that's safer."
Crucq concluded that an enterprise mobility strategy should be deployed on boardroom level, comprising the benefits of employee productivity and getting the right talent into the organization. It also should look at the whole ecosystem encompassing devices, network connectivity, security policies, overall HR and legal policies, and should include support for employees should something break.
He also advised companies to start small. "And don't start boiling the ocean. Start small. Small business units, small processes," he said.
- Guido Crucq, general manager for security solutions, Dimension Data Asia-Pacific
- Jimmy Sng, committee member at Association of Information Security Professionals (AISP); and partner in technology advisory practice, PricewaterhouseCoopers (PwC) Singapore
- John Brand, vice president and principal analyst, Forrester Research
- Ng See Sing, head of portal city and business application services, NCS
- Oh Sieng Chye, Virus researcher, ESET
- Pratyush Khare, technical director of archival solutions, Hitachi Data Systems (HDS) Asia-Pacific
- Stephanie Boo, regional director of South Asia-Pacific, FireEye
- Stuart King, strategy director of end-user computing business, Dell Asia-Pacific and Japan