Power to the people: Securing consumerized devices
The consumerization genie is out of the bottle. Employees are increasingly using consumer-focused websites and apps such as Twitter, Facebook and LinkedIn for work-related tasks, blurring the boundaries between business data and personal information. They’re also increasingly using their personal PCs, laptops, tablets and smartphones for work purposes.
According a security study Check Point conducted in December 2010 of over 130 UK IT managers in both public and private sector organizations, 55% said employees in their companies use personal laptops or smartphones for work purposes. Yet when asked how these personal devices were secured, nearly half of the respondents said they had no formal process for applying security to the devices. Just 37% said users were prohibited to use personal devices by corporate policies.
So it’s no surprise that we’re seeing organizations voicing concerns over how to secure this ever-growing, nebulous estate of personal devices and Web applications. More and more companies are asking themselves how they should go about enforcing security, and ensuring their employees comply with security policies, irrespective of the device or app they are using.
The answer is actually very simple. If employees are starting to take control of the devices and apps they use for work, why not empower and involve them in the security process- instead of blocking specific applications and devices altogether?
With power comes responsibility
Users should bear some responsibility when it comes to securing their personal devices or Web 2.0 app usage, to mitigate the risks of data loss. Especially as many of the personal smartphones, tablets and laptops can be secured easily by downloading an app and upgrading remote access software at the corporate gateway. This makes it simple for companies to provision and manage security across a variety of devices and platforms.
Adding a human dimension to security and treating users as a core part of the process – and not just as the source of the security issue – both strengthens security and makes it easier to manage for IT teams.
Let’s take data loss, for instance. The most common vector for data loss is email. Indeed, most data leakage incidents occur when someone accidentally sends confidential data to the wrong person, or attaches the wrong file. In order to avoid this, an effective Data Loss Prevention (DLP) solution should inspect the email’s content and, if it detects sensitive material, alert the user with a pop-up asking them to confirm they intend to send the email with the specific file to the specific recipient.
User awareness matters
This kind of approach holds a mirror to the user’s actions: users can either confirm their intended action, or realise they were about to make a mistake. The mechanism prevents inadvertent leaks, while building a log of user actions with a simple, effective combination of software intelligence and user input.
Crucially, it also makes DLP cost-effective and quick to deploy, so that customers can benefit from it straight away – unlike traditional DLP solutions that take months or even years to deploy and “train’ so they can give an accurate result.
The same principle applies to employees’ use of Web 2.0 apps: rather than categorically blocking users from accessing sites in a “Big Brother’ fashion, employees should be allowed access to apps – on the proviso that they log their reasons for doing so (using a pop-up dialogue, so the reasons can be logged for subsequent investigation and audit) and have legitimate needs to visit these sites.
For example, workers from the human resources department should be allowed to visit sites like LinkedIn and Facebook when assessing the profiles of applicants. Marketing departments should be allowed to visit sites like YouTube or Vimeo to watch corporate or professional videos, and so on.
Trust but verify
By giving employees freedom in this way, whilst logging their actions should an audit be required, organisations open up a security dialogue that not only communicates their corporate security policies more clearly, but also achieves a higher level of protection for their data and resources, by reinforcing good security practice at the point where it matters most.
In conclusion, with power comes responsibility. The key to addressing the growing consumerization threat presented by the use of personal devices and Web 2.0 apps is to engage employees in the security process, at the precise point where a security decision is needed. By giving power to your people and helping them to make the right decision at the right time, organisations can cut the risks of losses and leaks at source.