Tablets, netbooks, iPhones and Androids, devices that hardly existed five years ago, are sweeping through enterprises today.
Workers no longer wish to be shackled to the corporate 18 month old ThinkPad when they can be running the latest shiny gadget at both home and work. This means security professionals are contending with a wave of mobile devices that are accessing cloud-based applications and services from anywhere the user desires.
The risks can be real. Data stored on mobile devices is more easily lost. These devices are also not operated under the careful management of the IT department, which means dangerous applications may be installed and patches not kept up to date. Of course, the consumerisation of enterprise IT also has beneficial aspects: the organisation has fewer devices it must buy and maintain, a potentially large saving for big organisations.
Perhaps that's one reason why so many organisations are embracing consumerisation. According to the Proofpoint 2011 Consumerized IT Security and Compliance Survey, of the 632 respondents, 534 (84 percent) are making consumerised IT an acceptable part of their organisation. That leaves 98 respondents, or 16 percent, that do not allow employees to use consumer technologies for work.
Many IT security experts believe those organisations clamping down on users brining their own devices to the workplace may actually be increasing their IT security risks.
"If your policy is to stop people from using their own phone or device, they're going to ignore your policy," says Josh Corman, research director, security at analyst firm 451 Group. "If your employees believe they're getting more work done using their own tools and services, that's what they're going to do. And, if your policy is to block them from doing that, they're going to try to hide that they're doing it from you."
Proofpoint's survey supports Corman's assertion. The survey found that 64 percent of organisations that forbid employees using their own devices suspect that employees are using consumerised IT regardless of policies against it.
Pete Lindstrom, research director at Spire Security, agrees that trying to tightly control user devices in the name of security will most likely backfire. "You have to look at these things in a case-by-case basis," says Lindstrom. "If the user isn't working with regulated or sensitive data, you have less to worry about. So before you start talking about how much risk this creates, you have to do a risk assessment."
If there is risk, there are things enterprises can do to protect corporate data. "We are still at the early stages of all of this. We'll begin to see more tools to protect the data on these devices, such as encryption on the devices," he says. "Virtualised Desktop Infrastructure is a saving grace for certain notebooks, because you have the opportunity to provide a highly controlled environment on that device," Lindstrom says.
Both Lindstrom and Corman say the consumerisation of IT points to the importance of focusing on the protection of the actual data rather than the device. "If you can't control the devices, or how the network is accessed, you certainly can control who has access to the sensitive data," he says.
Here are some more findings from Proofpoint's survey:
- 71 percent of organisations that do not allow consumerised IT in the workplace do nothing more than issue a warning to employees who violate policy
- 72 percent of organisations that do not allow consumerised IT in the workplace are not convinced that it can be used in a secure and compliant manner
- 48 percent of organisations that allow consumerised IT in the workplace allow users to choose which technologies they use
- 48 percent of organisations that allow consumerised IT in the workplace regulate which technologies can be used
- 89 percent of organisations that allow consumerised IT in the workplace say that the Apple iPhone and iPad are the most used mobile devices