Ready or not, they're already in your enterprise
Organizations are being overrun by users bringing their own devices to work. The paradox is that organizations trying hardest to ban workers from using their devices may be increasing their risk rather than mitigating it.
By George V. Hulme
June 20, 2011 — CSO —
Tablets, Netbooks, iPhones, and Androids -- devices that hardly existed five years ago -- are sweeping through enterprises today. Workers no longer wish to be shackled to the corporate 18-month-old ThinkPad when they can be running the latest shiny gadget at both home and work. This means CSOs are contending with a wave of mobile devices that are accessing cloud-based applications and services from anywhere the user desires.
The risks can be real -- data stored on mobile devices are more easily lost. These devices are also not operated under the careful management of the IT department, which means dangerous applications may be installed and patches not kept up to date. Of course, the consumerization of enterprise IT also has beneficial aspects: the organization has fewer devices it must buy and maintain -- a potentially large savings for big organizations.
Perhaps that's one reason why so many organizations are embracing consumerization. According to the Proofpoint 2011 Consumerized IT Security and Compliance Survey, of the 632 respondents, 534 (84 percent) are making consumerized IT an acceptable part of their organization. That leaves 98 respondents, or 16 percent, that do not allow employees to use consumer technologies for work.
Many IT security experts believe those organizations clamping down on users brining their own devices to the workplace may actually be increasing their IT security risks. "If your policy is to stop people from using their own phone or device, they're going to ignore your policy," says Josh Corman, research director, security at the analyst firm 451 Group. "If your employees believe they're getting more work done using their own tools and services, that's what they're going to do. And, if your policy is to block them from doing that, they're going to try to hide that they're doing it from you."
Proofpoint's survey supports Corman's assertion. The survey found that 64 percent of organizations that forbid employees using their own devices suspect that employees are using consumerized IT regardless of policies against it.
Pete Lindstrom, research director at Spire Security, agrees that trying to tightly control user devices in the name of security will most likely backfire. "You have to look at these things in a case-by-case basis," says Lindstrom. "If the user isn't working with regulated or sensitive data, you have less to worry about. So before you start talking about how much risk this creates, you have to do a risk assessment."