Consumerisation Of IT & The Impact On Enterprise Security
End users are influencing IT and security decisions in the workplace more than ever before forcing organisations to introduce consumer devices and Web-based services to the workplace.
According to two surveys commissioned by RSA and the Security for Business Innovation Council (SBIC) in mid 2010, there has been a significant rise in users' influence on device and application purchasing decisions within an enterprise over the past few years.
Until a few years ago, IT departments used to control 100% of the company's infrastructure, but now with user-driven IT, this is beginning to change. The line is now blurred between the use of IT devices at home and in the workplace.
End users are influencing IT and security decisions in the workplace more than ever before forcing organisations to introduce consumer devices and Web-based services to the workplace. Especially when it comes to people that have grown up with technology and are addicted to their device, they not only insist on them being allowed to use these within the enterprise but also want access to social networking and blogging sites etc.
But the trend holds new risks for enterprises wherein uncontrolled endpoints can inject viruses and threats on corporate networks and result in attacks on valuable data within the organisation.
Nearly 400 security and IT decision makers were surveyed in India and other countries to reveal a sharp rise in the enterprise adoption of consumer technologies and underscored how unprepared organisations are to manage the risks associated with this new reality.
Key findings of the report included:
- 76 percent of security and IT leaders believe user influence on device and application purchase decisions within the enterprise is on the rise.
- More than 60 percent of respondents report that users have some input regarding the types of smartphones purchased, with 20 percent reporting that they let users decide.
- Even when it comes to desktops and laptops, users have input into purchasing decisions at 35 percent and 47 percent of companies, respectively.
- Though most companies have policies aimed at preventing or limiting the connection of personal devices to the corporate network, nearly 60 percent of respondents said that unauthorised connections to the corporate network still occur.
- More than 80 percent of companies now allow some form of access to social networking sites. Of those companies, 62 percent are already using it as a vehicle for external communication with customers and partners.
- However, most companies are not fully prepared to confront this trend from a security standpoint and do not have the right level of security in place to accommodate increased access to consumer devices and applications. It is essential for companies to thoroughly calculate the risks associated with consumer technologies and applications before users begin using them for business purposes, but gaps in security strategies revel that many don’t calculate the risks at all.
The key risks in such situations are:
- Lack of cohesive choice computing strategy
- Unauthorised connections to corporate network
- Serious breaches or incidents stemming from personal devices
- Users jumping in before security teams test the water
Impact On Enterprise-wide Policies And Processes
With the proliferation of consumer devices within an organisation, enterprise data is increasingly processed and stored in places and ways that are much more difficult to secure. This has led to the need for having strong security policies in place that can protect a company’s assets. This is especially important with social networking sites and tools (which easily blur the lines between personal and professional information) and laptops and other mobile devices (which if lost or stolen can expose any critical data they contain).
Based on the collective insights of the Security for Business Innovation Council, which includes some of the world's top security officers, the SBIC report on the subject made some recommendations to prepare information security teams to securely give their users more flexibility in computing. Specific guidance includes:
Shift Minds to the Times: As users increasingly make decisions about how technology is used in the enterprise, security teams must shift their attitudes from command and control to business enablement which is the key objective
Reframe Users as Assets: The average person has become a sophisticated technology user. Instead of treating user education as one-way communication, security needs to re-invent it as a two-way conversation. Computer "proficient" end user is more of an asset than just being computer "literate user / operator." Today the end user can do just about anything using computer / own device connected to the corporate and become a promotable asset to the corporate.
Support Calculated Risk-Taking: User-driven IT introduces a whole new set of risks that are compounded by escalating compliance and legal obligations and an evolving threat landscape. To help keep the risks to an acceptable level, security professionals must know and understand the risks and be acutely attuned to their organisations' risk appetites analysing in details issues of ownership and representation, e-discovery, the growth of mobile malware and phishing dangers on social networking sites.
Get in Front of Technology Trends: To gauge the risks and rewards of user-driven IT, the security team will have to get up to speed on consumer devices and applications as well as the technologies that enable enterprise deployments. Hence it is essential to keep pace with future-critical technologies including virtualisation, thin computing, cloud computing and advanced authentication and security technologies.
Own the Future: In the rapidly changing world of consumer technology, the ability to anticipate changes before they happen will be more important than ever. Hence it is important to set up cross-functional teams, establish flexible budgets with built-in contingency funds and use pilot projects to limit exposure and gain enterprise experience.
Collaborate with Vendors: The SBIC report also mentions that vendors can play a key role in enabling user-driven IT and hence it is critical to partner with them to understand what’s on the horizon and shape future enterprise offerings.
Protecting The Enterprises’ Interests
It is interesting to note though that most incidents of sensitive corporate data leaks happen unintentionally either because of lack of awareness at the employees’ end or a careless mistake which the security infrastructure of the organisation was unable to detect and tackle.
Hence, while organisations lean towards allowing access to social websites etc within the organisation, they also need to implement a holistic security strategy, which encompasses all aspects of security. If the enterprise can govern the access of information only to the right employees, loss of data from within the organisation or by the attackers getting into the network could be minimised.
Educating the employees is an important best practice that an organisation can follow, but that too has its limitations. A much better approach would be to implement a security strategy that is information centric and focuses on the risk aspect.
The author is Country Manager, RSA India & SAARC.
For years, victims have opted to quietly pay cybercriminals, calculating that the payment would be cheaper than rebuilding data and services
Chinese man apprehended at India-Bangladesh border smuggled 1,300 Indian SIM cards to his country, says BSF
In a statement, the BSF said that Han Junwe had smuggled SIM cards to China 'to hack accounts and carry out financial frauds'
The SII CEO recently went to London after he claimed to have received threats from ‘powerful people’ seeking vaccine doses on priority