Security is all well and good, but don’t forget the human factor, Imation’s EMEA VP Nick Banks tells CBR.
Imation has been an established company since the late 1990’s, making its name in the storage market before now moving towards data security and flexible working, mainly thanks to their IronKey device one of only five certified to work with Microsoft’s Windows To Go feature. CBR sat down with Nick Banks, Imation Mobile Security’s EMEA VP, to find out more.
First off, can you tell us some more about your involvement with Windows To Go?
It is a brand new market, which has great legs to it. It’s not only for consultants, contractors, people in hostile environments, governments, national health departments, but also for companies migrating from different versions of Windows, especially with strategic deployments of new software within the company.
It’s also useful for companies looking at hardware replacement, as budgets are being cut, and people aren’t getting new laptops every three years anymore. But a device with Windows To Go on, as well as your company image and applications, can do the job at a fraction of the cost.
Imation has said that it is planning for 1,000% growth this year – can you tell us more about that?
Yes, we are, but then again, in all honesty, one dollar to ten dollars is a 1000% growth, so it’s still a very small number! In Europe, the opportunity for Windows To Go is huge, in terms of the advantages for companies in terms of budgetary saving, flexibility of working, or as part of a disaster recovery set of protocols.
It’s about being able to give workers a device you can carry between work and home, but then at home still have the same image they see on their desktop in the office, meaning that there is no calling into the IT department saying, "How do I find this?" People work far better if they are comfortable with the image that they’re seeing on their desktop – once you give them a strange image, that’s when calls start coming in. Repetitiveness makes people experts, when actually if you take them out of that comfort zone, their expertise quickly dissolves into the normal state of "what do I do?"
You’ve mentioned BYOD – where does Windows To Go fit into this?
Recent research found 70% of workers in the US and Europe said that if the BYOD policy in their company meant that their own private information and private computing life could be looked at and monitored, and even worse, wiped, by the company they work for, then they would not be happy to adopt a BYOD working environment.
What hasn’t been widely discussed is that if you start doing BYOD, where do you draw the line around what the company can look at of your own personal life? With a Windows To Go device, it’s very easy to partition, so on the one side you can have your work profile, and on the other, your personal, meaning that if at some point in the future, the company decides to wipe, delete, monitor your work activity, your private life remains safe, as they can remotely monitor and wipe the Windows To Go stick, but not what is on your hard drive.
So do encryption and management go hand-in-hand?
The two go hand-in-hand, for sure. I think it’s extremely important that you have encryption, because unfortunately it is all very well talking about companies who may have the best security in the world, but the one weak link that always survives in companies is the human being. They cannot cope with a multitude of passwords for different work environments, so they obviously always tend to rely on the same one or two – the most I’ve ever come across is someone with five passwords, but after that, you forget which password goes with which.
It’s difficult, so people fall back to that usual position of ‘one password fits all’. So it’s really important that you have management, because you need to have the information encrypted, but you also need some way of managing that encryption, as well as managing the person, and their weaknesses.
IT budgets are often the first to be slashed during difficult financial times, so how well do you think companies are doing at spending their cash on the right things, such as encryption?
I think we’re back to the ‘ticking the box’, getting ‘good enough’ security standards situation. But what people forget about when saying that something is ‘good enough’ is that they’re talking about ‘good enough’ for today, and the one thing about security is that it changes at such a rapid rate – so what was good enough in 2009, 2010, 2011, is not necessarily good enough now.
The cybercriminals who are looking to steal data do not sit still. They didn’t cut their budgets just because the enterprise customers they’re targeting cut theirs, in fact, they did the opposite. Their budget is basically their time, that’s something they didn’t have to cut.
What kind of security trends do you think we’re going to see in the next year or two?
I think a lot of companies will start to realise that however much money they’ve spent on securing the perimeter and trying to keep people out, at some point they will be penetrated, and when they are, what they’ve got to then look to do within their network is have a security policy which enables them to have business continuity.
Companies need to have security software or hardware which enables them to shut down the infected parts of their network, cutting them off until all has been fixed, but doing it in such a way that won’t affect the rest of the business. Or, alternatively, they need a device which is separate but part of the network which can act as part of a disaster recovery system. They can then say, yes, I’m going to be penetrated, so how can we continue to work, and the way to do that is to have the company image on a removable device which can go into anywhere, so if necessary you could even send them all into the local library and they would still be able to work.
In the next few years there are going to be penetrations done at big companies, and if they haven’t taken the right steps, they will come to a grinding halt.
Finally, what would be your top tips for IT decision makers at companies look to improve their security?
I would say that first of all, you need to look beyond the ‘good enough’. You then need to ensure that the security is managed. And most of all, you need to ensure that you have a proper security statement within the company that all your employees understand and adhere to, because the weak point of security is the human element, and unless you have all of this then your company, however much money you spend on security, will always be at risk.