Thursday, April 26, 2012

UK stats: An alarming lack of concern for work data on personal devices

Today a research survey was published by the Information Commissioners Office, conducted by YouGov that shows an alarming lack of concern for business data kept on personal phones and laptops, that people regularly simply throw devices away and do not fully ensure that the confidential information is deleted properly before doing so, potentially allowing data to be accessed by someone else.

Work documents on personal devices

The survey showed that 34% of the UK have work documents on their personal computer, laptop or mobile phone.

Data deletion on old devices

In the same survey, people were asked what they do about the data when disposing of phones and computers.  10% said that they never delete the data on them, 13% said that they simply ask a friend and 29% say that they use the standard delete tools, (7% said that they didn't know - I think we can assume that if you don't know, you are not making sure that all data is deleted).

Disposal Options

28% have simply put devices out with the rubbish, 44% give it away to someone else and 21% of people sell devices, such as via eBay.

So, if we take these three sets of statistics together, we can see a major issue where confidential business information could easily be found on phones and computers.  Of course, in the last few years, the amount of data carried on phones and other mobile devices has exploded - so this survey is probably mainly concerning dumb phones being traded in and the problem is therefore likely to worsen unless employees and employers understand the risks and ensure that data does not stay on devices that are no longer in use.

The report and full statistics are available in this Excel file.

The press release (that also covers what was found when the ICO bought second have disk drives) is here.

All figures, unless otherwise stated, are from YouGov Plc.  Total sample size was 2031 adults. Fieldwork was undertaken between 22nd - 24th February 2012.  The survey was carried out online. The figures have been weighted and are representative of all GB adults (aged 18+).

Wednesday, April 11, 2012

Is your data just walking out the door?

In November my team and I ran a series of 36 events in 29 countries for IT management and IT resellers, I asked two questions of the audience of those I attended.

1. Do you have your own phone, iPad or PC that belongs to you that you use to access your employers information?

2. Does your employer have systems in place to control and manage those devices and the data on them?

Around 75% of the people I asked responded with yes to question one, but virtually no-one had a positive answer to question two.

Meanwhile, sales of iPads keep accelerating and Gartner's recent report is predicting a doubling of sales of tablets in 2012 compared to 2011 and sales of 369M tablets in 2016.  Gartner's report reiterates that Apple will continue to be the dominant player, but that Microsoft, RIM and Android devices will all be taking market share with expectations that Microsoft will have greater success in the corporate space.

So, the numbers are huge and growing fast, but even these are just sales and not the installed base of devices.  See the graphs below - the left-hand one shows iOS tablet sales (blue) and the rest of the market (green) for prior years and the Gartner predictions, but the right hand graph shows total in use - rising near to 200M this year and above 750M by 2016, around a doubling of the installed base each year.

As I see it, most new employees in IT companies come along with their favourite devices so as employees change jobs, it is even more difficult for IT to hold to a single corporate standard (if that hasn't already died).

And, I haven't even spoken about phones - where the numbers are larger, the number of different devices even greater and the product life-cycle shorter, meaning more churn, more devices to manage and therefore additional complexity.

So, in your organisation, how many employees have access to your data on their devices now and what do you predict for the future?  What happens when they leave the organisation, can you remotely wipe the data? What happens when they lost it or it is stolen?  Is the data encrypted?  How do you ensure that no-one brings in a device that has been infected when outside the organisation?

In the last decade, corporate IT recognised that everyone needed web security as well as desktop security such as anti-virus.  Now, every organisation needs Mobile Device Management and it needs it fast, it needs to be able to cope with many different demands and grow as the company grows.  In the same way that Websense, Secure Computing and Blue Coat grew to share the web security market, another set of new companies are delivering exciting technology to manage mobile devices.

The elements of MDM include policy enforcement, device inventory, security and software distribution.  IT departments need to find someone to lead this project, perhaps the job title is Chief Mobility Officer and that person needs to look at the various vendors carefully - the latest Gartner Magic Quadrant from April last year lists over twenty vendors in the space with another 25 listed as providing some features.

If you haven't seen it - one of the vendors in the Leader's Quadrant - MobileIron - has the document available on their web site.  Happy reading, let's keep our data and devices safe, before all our information walks right out of the door.

Existing sales from Apple, NPD Research and forecast from Gartner Inc.

Monday, April 2, 2012

UK government snooping - who is lobbying and why now?

Yesterday was a Sunday, an unusual day you'd think for a major government announcement to be publicised.  There have been a lot of news stories on the government's new (looks familiar to me, but we'll get to that) ideas about forcing ISPs to hold data on all emails, text messages and phone calls of all UK citizens over the last day, I was planning to write what I thought about the proposals themselves, but that has been done so well that I have decided to go in two different directions.

BTW: Two of the best articles about this are here and here - feel free to read and come back...

I want to go in two different directions - firstly who is lobbying for it and secondly why did it come out yesterday (and do the government really mean it).

1. Who is lobbying for it....

As shown in the Telegraph article - this seems a bit like a sledgehammer to crack a nut.  But is is clear that there's been behind the scenes lobbying and as with the previous government, it looks like every new administration says before they come in that they will roll-back laws that attack citizen's rights (see articles on statements about repealing the Digital Economy Act before the last election), after a short-time in power that commitment is forgotten (too busy passing new laws to kill old ones) and after around two years of lobbying before they decide that the best thing is to introduce new ones (and its for your own good, you silly citizens, don't you realise how hard this governing job is, we need more options to check up on everyone).

Smart terrorists and major crime figures would also be intelligent enough not to be caught with it.  Send your texts to throw-away mobile phones, don't actually send emails - just edit a web page and let the other person look at it, or use the many different methods of encryption or don't use electronic communication at all.  So, who would it possibly catch?  The dim or the unorganised - though again as the article from Tom Chivers says we seem to be doing OK at catching the unorganised.

So, the first possibility is that someone in the security services who doesn't realise how easily the technology can be circumvented is lobbying for it.  If this is the case, then they need some independent IT people that can show them the holes in the proposals, ("independent" meaning not someone who might benefit from installing it - yes, really, that does need to be said).  Having had a few meetings with people like senior members of government bodies to regulate the Internet, I have seen government's cluelessness and lack of understanding first-hand, so I could believe this one.

Secondly, it could be the police.  Not looking for initial security problems, but as soon as someone is found who is "of interest", then sweeping up all their friends as possible co-conspirators.  I can see that having some merit, though again only catching those who aren't very clued up on technology themselves.

Thirdly, perhaps they want the technology installed, then its remit can be widened (the slippery slope argument).  But who is the shadowy "they"?  Not sure myself, again I guess the security folks.  Perhaps its simply a game to get more resources, along the lines of "if the government give me more responsibility, I'll have to have more staff and a higher budget".

Fourthly, the vendors.  Let's be honest, they have something to sell and they'd get a huge windfall if the government can be persuaded to introduce another law forcing ISPs to install more monitoring equipment in their offices.  I can hear the sales-people now saying to the government "and just think, if you want this data and don't want to pay for the equipment, all you have to do is force the ISPs to do so.  people will have to spend a few quid more a month on their ISP connection, but you don't have to".

2, Why now?

Answer this question and maybe, just maybe, we'll know that question 1 is irrelevant.  Why now?  Why the day after probably the worst PR ten days for the government?

Now call me cynical - but after the granny-tax, reduction in income tax for those over £150,000, pasty-tax and petrol-in-a-jerry-can wheeze, did someone on Friday night wonder to themselves if they could change the story to something else?  As this proposal has been floating about for years (6 years ago, the Labour Party introduced the same thing), the discussion documents to promote it are ready and allowing it to slip out will change the political football from the series of embarrassing discussions to one that looks, at first glance, to be more significant.

But do the government really care?  Are they really interested if this bill passes or fails or under heavy pressure, will they, like the labour Party before them, just sideline it as too much bother to worry with?  In the meantime, we've all swallowed the bait, have started discussing a topic that will go on for a year and moved on from all the previous stories.  Meanwhile, the government can tell whoever is lobbying for it "see, we've done what you asked, sorry it didn't work out".

I guess we'll see if they really push this one through.  My bet is that it will die, but it will take a lot of effort to kill it from privacy campaigners and Internet experts.  Then, a new election and two years later we'll all be back.