Investec CISO warns of risks from BYOD and unchecked cloud use

Firms must keep track of the cloud services being used by staff

Financial giant Investec has underlined the dangers posed by the bring your own device (BYOD) culture in organisations, covering hardware such as smartphones and tablets but also software services based in the cloud.

David Cripps, chief information security officer at Investec, said at the ISC2 Security Congress in London that Investec has signed up for around 15 cloud services.

However, an audit found that this number was actually “a lot higher” as staff were using myriad other services to do their jobs, regardless of the security problems this could cause.

“If you’ve never done an exercise to find out what your staff are doing, I recommend it,” Cripps said.

This is a concern as the vast majority of cloud services lack basic security protocols.

“Of the 3,000 or so cloud services out there, only five percent have ISO certification and only 10 percent allow some sort of two-factor authentication,” warned Cripps.

On the hardware side, Cripps noted that the boundaries between devices, specifically Microsoft’s Surface Pro, are blurring even more and creating new questions and problems.

“What is the Surface? Is it a portable device or a laptop? What camp does it fall into? Should we do full disk encryption, or use virtualisation? It’s the first sort of boundary device that we don’t know what it is,” he said.

Cripps also noted that data retention, and understanding where specific data is being held, is vital for organisations working in heavily regulated industries, but that it is getting increasingly complicated.

He referred specifically to ‘litigation hold’, where a company is ordered not to delete any data that may be relevant to an impending legal case.

“In the past you could put a flag against the data in a mainframe and say ‘do not delete’. Now, we are in a world where we don’t know where the data is, who is processing it or who is controling it. It makes ‘litigation hold’ a nightmare,” he said.

Cripps urged organisations to seek out the Information Commissioner’s Office guidance on BYOD, which gives advice on key areas such as having policies in place, helping management understand the risks of BYOD, and the storage and accuracy of data.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

9 December 2014 | 4:01 pm – Source:


Leave a Reply

Your email address will not be published.