The consumerization genie is out of the bottle. Employees are increasingly using consumer-focused websites and apps such as Twitter, Facebook and LinkedIn for work-related tasks, blurring the boundaries between business data and personal information. They’re also increasingly using their personal PCs, laptops, tablets and smartphones for work purposes.
According a security study Check Point conducted in December 2010 of over 130 UK IT managers in both public and private sector organizations, 55% said their employees use personal laptops or smartphones for work purposes. Yet when asked how these personal devices were secured, nearly half of the respondents said they had no formal process for applying security to the devices. Just 37% said corporate policies prohibited employees from using personal devices.
So it’s no surprise that we’re seeing organizations voicing concerns over how to secure this ever-growing, nebulous estate of personal devices and web applications. More and more companies are asking how they should go about enforcing security, and ensuring their employees comply with security policies, irrespective of the device or app they are using.
The answer is actually very simple. If employees are starting to take control of the devices and apps they use for work, why not empower and involve them in the security process – instead of blocking specific applications and devices altogether?
With Power Comes Responsibility
Users should bear some responsibility when it comes to securing their personal devices or Web 2.0 app usage, to mitigate the risks of data loss. Most personal smartphones, tablets and laptops can be secured easily by downloading an app to the device and upgrading remote access software at the corporate gateway, which makes it relatively simple for companies to provision and manage security across a variety of devices and platforms.
Furthermore, adding a human dimension to security and treating users as a core part of the process – and not just as the source of the security issue – both strengthens security and makes it easier to manage for IT teams.
Let’s take data loss, for example. The most common vector for data loss is email. Indeed, most data leakage incidents occur when someone accidentally sends confidential data to the wrong person, or attaches the wrong file. In order to avoid this, an effective data loss prevention (DLP) solution should inspect the email’s content and, if it detects sensitive material, alert the user with a pop-up asking them to confirm their intent to send the email with the specific file, to the specific recipient.
User Awareness Matters
This kind of approach holds a mirror to the user’s actions: users can either confirm their intended action, or realize they are about to make a mistake. The mechanism prevents inadvertent leaks, while building a log of user actions with a simple, effective combination of software intelligence and user input.
Crucially, it also makes DLP cost-effective and quick to deploy, so that customers can benefit from it straight away – unlike traditional DLP solutions that take months or even years to deploy and ‘train’ for so they can give an accurate result.
The same principle applies to employees’ use of Web 2.0 apps: rather than categorically blocking users from accessing sites in a ‘Big Brother’ fashion, employees should be allowed access to apps – on the proviso that they log their reasons for doing so (using a pop-up dialogue, so the reasons can be logged for subsequent investigation and audit) and have legitimate needs to visit these sites.
For example, workers from the human resources department should be allowed to visit LinkedIn and Facebook to assess the profiles of applicants. Marketing departments should be allowed to visit YouTube or Vimeo to watch corporate or professional videos. And the list goes on.
Trust but Verify
By giving employees freedom in this way, while logging their actions should an audit be required, organizations open up a security dialogue that clearly communicates and reinforces their corporate security policies. It also achieves a higher level of protection for their data and resources, by reinforcing good security practice at the point where it matters most – at the user’s fingertips.
With power comes responsibility. The key to addressing the growing consumerization threat presented by the use of personal devices and Web 2.0 apps is to engage employees in the security process, at the precise point where a security decision is needed. By giving power to your people and helping them to make the right decision at the right time, organizations can cut the risks of losses and leaks at source.
Terry Greer-King is the UK managing director for Check Point Software Technologies. He is responsible for strategic sales planning, business development, channel management and for new initiatives to drive Check Point’s UK sales and marketing leadership. He has over 10 years of experience in the IT security sector and channel sales, and more than 30 years in technology sales and management.