Tablets, Netbooks, iPhones, and Androids -- devices that hardly existed five years ago -- are sweeping through enterprises today. Workers no longer wish to be shackled to the corporate 18-month-old ThinkPad when they can be running the latest shiny gadget at both home and work. This means CSOs are contending with a wave of mobile devices that are accessing cloud-based applications and services from anywhere the user desires.
The risks can be real -- data stored on mobile devices are more easily lost. These devices are also not operated under the careful management of the IT department, which means dangerous applications may be installed and patches not kept up to date. Of course, the consumerization of enterprise IT also has beneficial aspects: the organization has fewer devices it must buy and maintain -- a potentially large savings for big organizations.
Perhaps that's one reason why so many organizations are embracing consumerization. According to the Proofpoint 2011 Consumerized IT Security and Compliance Survey, of the 632 respondents, 534 (84 percent) are making consumerized IT an acceptable part of their organization. That leaves 98 respondents, or 16 percent, that do not allow employees to use consumer technologies for work.
Many IT security experts believe those organizations clamping down on users brining their own devices to the workplace may actually be increasing their IT security risks. "If your policy is to stop people from using their own phone or device, they're going to ignore your policy," says Josh Corman, research director, security at the analyst firm 451 Group. "If your employees believe they're getting more work done using their own tools and services, that's what they're going to do. And, if your policy is to block them from doing that, they're going to try to hide that they're doing it from you."
Proofpoint's survey supports Corman's assertion. The survey found that 64 percent of organizations that forbid employees using their own devices suspect that employees are using consumerized IT regardless of policies against it.
Pete Lindstrom, research director at Spire Security, agrees that trying to tightly control user devices in the name of security will most likely backfire. "You have to look at these things in a case-by-case basis," says Lindstrom. "If the user isn't working with regulated or sensitive data, you have less to worry about. So before you start talking about how much risk this creates, you have to do a risk assessment."
If there is risk, there are things enterprises can do to protect corporate data. "We are still at the early stages of all of this. We'll begin to see more tools to protect the data on these devices, such as encryption on the devices," he says. "Virtualized Desktop Infrastructure is a saving grace for certain notebooks, because you have the opportunity to provide a highly controlled environment on that device," Lindstrom says.
Both Lindstrom and Corman say the consumerization of IT points to the importance of focusing on the protection of the actual data rather than the device. "If you can't control the devices, or how the network is accessed, you certainly can control who has access to the sensitive data," he says.
Here are some more findings from Proofpoint's survey:
- 71 percent of organizations that do not allow consumerized IT in the workplace do nothing more than issue a warning to employees who violate policy
- 72 percent of organizations that do not allow consumerized IT in the workplace are not convinced that it can be used in a secure and compliant manner
- 48 percent of organizations that allow consumerized IT in the workplace allow users to choose which technologies they use
- 48 percent of organizations that allow consumerized IT in the workplace regulate which technologies can be used
- 89 percent of organizations that allow consumerized IT in the workplace say that the Apple iPhone and iPad are the most-used mobile devices
George V. Hulme writes about security and technology from his home in Minneapolis. He can be found using all of his own consumer devices on Twitter as @georgevhulme