Last week, Telus invited me to to an information security talk at Reasearch House, one of North America’s largest data-collection facitilities.
I said yes, without fully understanding what I was walking into; check this out:
Sooo, basically I sit in this comfortable chair, on the good side of one-way-glass, and straight-up get to stare and people-watch, while they talk about my favourite topic? Yesssss.
These are senior-level Security and IT decision makers, from 6 large Canadian organizations, that I know you know.
Security is a difficult discussion for companies to have publicly, because when you point out your vulnerabilities, it opens the door to potential attacks.
That’s why I’ve blurred out their names and faces (learn how to edit a photo you’re posting online here)
These are the kind of guys who protect the company’s information, and yours. They’re not a help desk, and every phone call they receive is a, “it’s the end of the world” call. Maybe bring them doughnuts sometimes.
Today’s topic was BYOD – Bring Your Own Device.
Example: your personal cel phone, (not supplied by your employer),
is allowed to send and receive corporate email,
and connect to the corporate network
AKA: Bring Your Own Disaster
EMPLOYEES
BYOD is a bigger deal than you may realize. Thousands of devices, that are probably less-than-secure, connecting to the corporate network and WiFi. That’s now at least 3 more operating systems to accommodate, manage, and secure. Even worse, now confidential company information is walking around in someone’s pocket, going to the bar, you have a lock on your phone, right.
Mobiles are not immune to malware and virus’. One click on something stupid in social media land, and the virus comes in through your phone, out to the company network, and off it goes spreading bad news.
(One day, you’ll connect through a VPN. We’ll get into VPNs here soon)
EMPLOYERS
Maybe re-visit your employee-exit policies and procedures. I feel this might be a hole that needs plugging.
Even if you are parting on friendly terms, you still must immediately address the large amount of sensitive information on their personal device(s), and what those devices have access to.
I talked about this in my Autonet.ca article, “Toyota Secure Website Hacked”:
“If he was fired Thursday, and he used his passwords to enter the site at midnight, that would make it seven hours during which his credentials weren’t changed. That is not best practice for employee termination; account access should be immediately disabled upon notification of termination.”
And to terminated employees: don’t be offended when they do this, it’s best. You don’t want the responsibility of owning that information, especially on a mobile device.
If you take only one thing from this post:
Much of your company’s security comes down to you, the end user / employee / weakest link. I know practicing good security can be annoying and slow things down, but there’s more resting on your shoulders than you may realize.
And thanks for having me Telus, this was so neat.