Companies struggling with consumerisation of IT
According to Rik Ferguson, Director of Security Research & Communications EMEA at Trend Micro, the consumerisation of IT refers to consumer-focused technology being brought into the workplace.
It incorporates Bring Your Own Device (BYOD), where employees bring their own mobile or laptop to work, but also includes Webmail, Twitter, Facebook, LinkedIn, YouTube, Dropbox and all the other social media applications.
BYOD is undoubtedly on its way. A recent Citrix survey revealed that 94% of companies will allow BYOD by 2013, and 57% of companies show a significant productivity increase following the introduction of BYOD.
hide
There are all kinds of security issues related to these consumer-focused services being used in the workplace, according to Mr Ferguson. “The problem is that they are very often not able to be managed or controlled by the organisation. And that is why you should be concerned,” he told the latest JLT Communications, Technology and Media Forum.
Mr Ferguson explained that there are a number of vulnerabilities that can be exploited on mobile phones, including data theft and spyware. As such mobiles designed for consumer use can be a real threat to enterprise and, with the shift towards consumerisation, corporate IT security is losing control, he said.
Phil Mayes, Head of Technology PI, Zurich Global Corporate Europe, said: “Traditionally the power resides with the IT department, and BYOD is a brilliant piece of democratisation. But it is difficult to control and difficult to differentiate between work and non-work traffic.”
Luke Foord-Kelcey, Head of the CTM Practice in the UK, JLT, said that BYOD could result in improved productivity, greater employee retention, a flexible working model and improved IT value to business. However, he warned that while around 75% of large businesses allow BYOD, only 39% apply protective measures and 38% do not have any security awareness programmes in place.
He said there were a number of legal considerations, especially for a version of BYOD that he called BYOC—Bring Your Own Collaboration. He gave the example of corporate data stored in non-corporate locations, such as Dropbox, that an employee can access from home. This was, in effect, going from a secure encrypted environment to an unsecure home environment.
“This will have a knock-on effect when it comes to regulatory compliance in terms of data protection standards, lost devices, recording data and e-discovery,” he said, “as well as having an impact on licensing, IP and employment law.”
Neal Rankin, Risk Director, Cable & Wireless Worldwide, said that it was important to recognise that there are different levels of risk, depending on the type of device, data and IT uses. “You need to analyse the different levels of risk, in terms of what is being processed, what is the information being used for, and work out what the critical applications are, and to maintain control over those,” he told the Forum. “You need to decide what you are going to allow onto BYOD, and what you want to retain control over. As for data, it is about ensuring that critical sensitive data is kept secure with enhanced security.”
He added: “This all needs underpinning by clear and effective policies, backed up by education programmes. If people don’t understand why they are being asked to operate in this way they will always find ways around it. If you have a good education programme that explains what the risks are, people are much more likely to comply and protect your information.”
Volker Ahrens, Director Global Insurance & Risk Management, SAP AG, explained that SAP has embraced this technology and has implemented BYOD in seven countries. For SAP the trigger was the tsunami in Japan, which saw BYOD help SAP Japan keep running in the face of a major disaster, and was, he told the Forum, a real success story.
The key objectives for SAP in implementing BYOD were to take advantage of the consumerisation of IT and give employees the devices they are most comfortable using in order to gain flexibility without additional costs. “It is not about managing devices, it is about managing data and applications, and this is a key consideration for success,” said Mr Ahrens.
He stressed the importance of separating personal data from corporate data, and having the ability to wipe the corporate data as soon as a violation is discovered.
And finally, it is crucial to ensure full security, including encryption, password protection and partial wipe, he said.
Patrick Hill, Partner, DAC Beachroft, said that one difficulty with the new media is that “while traditionally you would have run things through the in-house legal team, the problem is that if you do that for every Twitter or LinkedIn comment, the moment has passed.
“To run it past the in-house legal team may take a day for the approval process. It is managing the shift from formal advertising material going out through informal media. It is a big challenge for business,” he added.
A problem with social media, he said, relates to the capacity in which certain statements are made—on the person’s own behalf or on behalf of the company. “What we are going to have to try and work out is a way of managing the flow of information outside the company and on behalf of the company,” he said.
“And I suspect that what companies will do is to start small and test—so perhaps authorise a few people who have Twitter or Facebook accounts on behalf of the company, and then use any lessons learned from that pilot before spreading it out any further. What you also need to have is some fairly rigorous processes, procedures and controls in place, so that people understand what they are allowed to do and what they shouldn’t do,” he added.
There are many things that can be done from a technical, process and management perspective that can minimise the risk of IT consumerisation. These range from encryption to making sure you enforce policy, said Mr Ferguson. However, he stressed that, as with any security initiatives, the primary tool is education.
“The one thing that you definitely shouldn’t do is try to ban it,” he said. The problem is that consumerisation is already entrenched and young people do not know about a world without iPhones and iPads and Facebook and Twitter, he explained. They will naturally expect to be able to use these in a work environment. “Security by diktat is the worst possible way. You need security by consent,” said Mr Ferguson.
-Commercial Risk Europe is holding a Risk Frontiers—Cyber Risk seminar in Brussels on 27 September. To reserve your space email [email protected]