Organizations are being overrun by users bringing their own devices to work. The paradox is that organizations trying hardest to ban workers from using their devices may be increasing their risk rather than mitigating it. Tablets, Netbooks, iPhones, and Androids — devices that hardly existed five years ago — are sweeping through enterprises today. Workers no longer wish to be shackled to the corporate 18-month-old ThinkPad when they can be running the latest shiny gadget at both home and work. This means CSOs are contending with a wave of mobile devices that are accessing cloud-based applications and services from anywhere the user desires.The risks can be real — data stored on mobile devices are more easily lost. These devices are also not operated under the careful management of the IT department, which means dangerous applications may be installed and patches not kept up to date. Of course, the consumerization of enterprise IT also has beneficial aspects: the organization has fewer devices it must buy and maintain — a potentially large savings for big organizations.Perhaps that’s one reason why so many organizations are embracing consumerization. According to the Proofpoint 2011 Consumerized IT Security and Compliance Survey, of the 632 respondents, 534 (84 percent) are making consumerized IT an acceptable part of their organization. That leaves 98 respondents, or 16 percent, that do not allow employees to use consumer technologies for work.Many IT security experts believe those organizations clamping down on users brining their own devices to the workplace may actually be increasing their IT security risks. “If your policy is to stop people from using their own phone or device, they’re going to ignore your policy,” says Josh Corman, research director, security at the analyst firm 451 Group. “If your employees believe they’re getting more work done using their own tools and services, that’s what they’re going to do. And, if your policy is to block them from doing that, they’re going to try to hide that they’re doing it from you.” Proofpoint’s survey supports Corman’s assertion. The survey found that 64 percent of organizations that forbid employees using their own devices suspect that employees are using consumerized IT regardless of policies against it.Pete Lindstrom, research director at Spire Security, agrees that trying to tightly control user devices in the name of security will most likely backfire. “You have to look at these things in a case-by-case basis,” says Lindstrom. “If the user isn’t working with regulated or sensitive data, you have less to worry about. So before you start talking about how much risk this creates, you have to do a risk assessment.” If there is risk, there are things enterprises can do to protect corporate data. “We are still at the early stages of all of this. We’ll begin to see more tools to protect the data on these devices, such as encryption on the devices,” he says. “Virtualized Desktop Infrastructure is a saving grace for certain notebooks, because you have the opportunity to provide a highly controlled environment on that device,” Lindstrom says.Both Lindstrom and Corman say the consumerization of IT points to the importance of focusing on the protection of the actual data rather than the device. “If you can’t control the devices, or how the network is accessed, you certainly can control who has access to the sensitive data,” he says.Here are some more findings from Proofpoint’s survey:71 percent of organizations that do not allow consumerized IT in the workplace do nothing more than issue a warning to employees who violate policy72 percent of organizations that do not allow consumerized IT in the workplace are not convinced that it can be used in a secure and compliant manner48 percent of organizations that allow consumerized IT in the workplace allow users to choose which technologies they use48 percent of organizations that allow consumerized IT in the workplace regulate which technologies can be used89 percent of organizations that allow consumerized IT in the workplace say that the Apple iPhone and iPad are the most-used mobile devicesGeorge V. Hulme writes about security and technology from his home in Minneapolis. He can be found using all of his own consumer devices on Twitter as @georgevhulme Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe