ENISA makes no recommendations to users based on its report. Its purpose is simply “to provide a more complete oversight of both opportunities and risks in this area by bringing together data from a collection of other, related studies.” Businesses are left to make its own decisions on how the risks can be mitigated, and then to weigh those against the opportunities in order to define its own COIT policy.
Opportunities arise in four categories: financial, staff, operational and data management. Financial opportunities come through saving “time and money by increasing productivity, reducing spending and increasing user/customer satisfaction.” HR opportunities arise through an encouraged and engaged workforce, where “businesses may attract talented individuals and achieve a better retention of employees by offering them job satisfaction and the freedom to unfold their creativity for the benefit of the business and their customers.”
The obvious operational opportunity is with staff working more hours – while traveling or at home, for example. However, ENISA sees a greater advantage in increased sharing and collaboration. COIT, it suggests, has the potential to enhance virtual teams sharing knowledge through modern channels (social networking, chatting and blogging). “The ability to mobilize cross-disciplinary teams on the virtual space is essential for success,” it says.
The final opportunity comes in improved data management. For COIT to work successfully, the need to use cloud storage becomes evident. From this, “Frequent data interactions will increase data accuracy, while the degree of data sharing will be increased.”
But despite these opportunities, there are numerous risks that need to be considered and mitigated. ENISA groups these as costs, regulatory issues, and CIA (confidentiality, integrity and availability).
While savings can be made in hardware and infrastructure, there are potential costs to brand image through “uncontrolled use of consumerized services/devices,” increased costs in the management of multiple devices, and increased general security costs.
Regulatory issues arise because corporate governance over employee-owned devices is weaker than with company-owned devices. This makes the enforcement of legal and regulatory compliance controls more difficult. Furthermore, the lack of a clear distinction between corporate and personal data could lead to litigation with employees.
The final risk is mainstream information security. This includes the potential loss of corporate data through unauthorized sharing; the potential theft of corporate data through unauthorized access from unmanaged devices; the loss of data “as a result of difficulty of controlling security in application-rich mobile devices; and finally, the increased risk from mobile devices being the “target of attack for the acquisition of corporate data.”
While this report summarizes the risks and opportunities, its content will be used as the basis for a future report “on recommendations for mitigating the risks considered and materialisation of opportunities.”