Analysts: Senior staff pose data-loss risk

Senior employees are less security compliant despite the data-loss risks posed by their sophisticated mobile devices, analysts have warned
Written by Marcus Browne, Contributor

As employee-owned portable devices become more sophisticated, they become less secure, according to one analyst — and the more senior an employee, the less compliant they are when it comes to protecting the information on those devices.

"It's likely that people higher up in an organisation will be the ones who own the more sophisticated devices, and these are the types of users who resent having security imposed on them," said Jay Heiser, research vice president and security specialist at Gartner, speaking at the Gartner Symposium in Sydney on Wednesday.

James Turner, security analyst for research firm IBRS, said that he had recently hosted a roundtable discussion with a number of IT managers who had voiced this complaint.

"Some people were talking about their executives wanting the latest capabilities but resisting the use of authentication technology," Turner said.

"I think this tends to be a fairly common problem, and the important thing I say to IT managers is not to respond by hitting the panic button; you're far more likely to convince an executive of the importance of protecting their data by reminding them just how many mobiles and PDAs get left in cabs," said Turner.

Gartner's Heiser made the assertion that the security risks posed by portable devices are growing exponentially in accordance with their sophistication, level of use, and the number of devices owned by individuals.

"The more sophisticated the device, the more likely it is to contain sensitive data," said Heiser.

"I think it's fair enough to say that the more sophisticated devices are harder to protect, but the tricky thing about security is that you can't just lock everything down to cover against every feasible risk," said IBRS's Turner.

According to Turner, technically minded security specialists can often overlook the fact that accessibility is equally as important as protection. "As soon as a security process becomes too complicated users will switch off and stop taking even simple precautions," said Turner.

Gartner's Heiser believes that encryption will become one of the most important factors in securing portable devices, predicting that "in five years all laptops will be encrypted".

"Encryption for laptops will be essential eventually. I think it's a no-brainer, especially when we're finding ways to use encryption that are unobtrusive but provide a high level of protection," said Turner.

Throughout the Gartner Symposium, Heiser has suggested that many security woes — not just those involving portable devices — can be solved through access-control measures.

Heiser recommended that security officers employ mandatory access control (MAC) measures over information they thought was likely to end up on employee-owned portable devices.

While Heiser rated laptops and high-capability PDAs as being the highest-risk objects when it comes to portable devices and security, he also noted that highly prevalent consumer devices such as iPods pose a threat, given their tendency to be used as storage devices by some users.

"It's a good economy of scale to try to break something that most people have," said Turner.

"I think Apple is going to have to learn the same painful lesson that Microsoft did; the bigger your market share, and the more popular your products are, the more likely it is you'll get attacked," said Turner.

Editorial standards