Conclusion: IT departments must alert both HR and legal counsel that the Mobile Device Management (MDM) platforms being deployed have the potential to put the organisation in breach of workplace surveillance legislation. MDMs can activate the cameras built into smartphones, activate the microphone, and access the smartphone’s GPS. Working with Legal and HR will likely result in new Acceptable Usage Policies for staff, and IT most likely needs to review controls for the MDM platform to ensure that these capabilities are not abused.
Conclusion: While the capability to filter content to corporate-issued smartphones and tablets is a capability that a number of organisations are interested in, very few organisations have taken this step. Most organisations are taking the view that the risk of an employee accessing inappropriate content while on a 3G/4G connection, and offending their colleagues, is low, and best managed through line managers and policy. Typically these trusted staff are also reasonably senior, hence their being issued with a corporate device. The perspective changes, though, if the organisation is concerned about field staff wasting time. In these instances, restrictions are seen as an aid to productivity and the device is heavily restricted.
Conclusion: The intention and skill of an attacker will ultimately determine the impact of the attack, regardless of the preventative technologies an organisation has. In this respect, a skilled attacker intent on destruction is akin to a natural disaster: measures can be taken but ultimately it’s out of your hands. We cannot prevent floods and earthquakes, so what makes a difference is how organisations respond to these disasters. It is imperative that organisations with disaster recovery and crisis management processes extend these to include responding to cybercrime. The first area to look is at how the organisation will deal with not being in control of its own IT, including communications systems such as email and VoIP.
Many years ago when I lived in Perth, one evening after work I was standing in chest-deep water at Cottesloe beach admiring the sunset. I happened to turn and look to my left and saw a fin sliding out to sea, about 10 metres away.
I quickly realised that the fin was making the sine wave motion of a dolphin, not the sideways sweep of a shark. When I turned to face the beach, there was a small crowd of 20 or so people gathered at the water’s edge. As I got out, a lady said to me, “He was swimming right behind you”.
Conclusion: As organisations become increasingly dependent on computer systems, IT will have an increasingly important role to play in preventing and detecting fraud. CIOs must ensure that there are sufficient checks and balances minimising the risk of IT professionals abusing their elevated systems privileges, and that systems are configured to produce useful logs. CIOs should also ensure that policies for the prevention, and detection, of fraud are tested and enforced. Policies for log management and data retention should get high priority.
Conclusion: Security incident and event management (SIEM) products can deliver solid insights into the security status of an organisation’s network. However, SIEM requires ongoing support, mature change control processes, and rapid and open communications between diverse teams within the IT department - as well as the rest of the organisation! A successful SIEM deployment must factor-in the resources required for ongoing support. These resources will be in proportion to the complexity of the network.
Conclusion: Blackberry 10 will, at best, bring Blackberry functionality to where iOS and Android have been for over a year. However, most organisations are moving away from Blackberry, either publically or in a steady, quiet, exodus as users choose which handset they’d rather have. BB10 will not stop this exodus as it is designed for the enterprise, not the consumer. The steady decline in fortunes for RIM will be painless for most organisations, except the few that are tightly coupled to the Blackberry ecosystem. These organisations should act now to minimise the coming impact of dealing with a company with a bleak future.
Conclusion: While there’s surprising level of interest inside some IT departments to build their own data centre within an office complex, the arguments against this strategy are overwhelming. The few organisations that can financially justify building their own data centre are those organisations that prefer spending Capex to Opex, have the Capex to spend and, ideally, can distribute this cost to others. While the idea of an on-premises data centre can be driven by a misplaced belief in control, there are many risks that come with this strategy that most CIOs should not be interested in managing, and there are costs that most CIOs would not want to pay.
Conclusion: Organisations which have gone down the Mobile Device Management (MDM) path with a view to enabling their staff to bring their own device (BYOD) are discovering the shortfalls of this device-control approach. A BYOD device is not a corporate asset and cannot be treated as such: it should be viewed as untrusted and treated accordingly. Consequently, leading organisations are treating BYOD as an exercise in remote access. Instead of trying to control the untrusted device, focus on user experience, and controlling access to the data.
Conclusion: One of the functions of a board1 is to minimise business risks to the shareholders. As signing a major contract with a managed services provider involves significant risks such as the failure to deliver critical IT services, boards need to be convinced the risks2 are known and can be minimised by vigilant management.