The use of consumer-style technology in the Australian workplace continues to grow as employees and employers seek to increase productivity and find greater flexibility in the way they work. Smartphones, iPads, web 2.0 applications and social networking sites enable greater mobility and promote collaboration across dispersed teams. The trend is accelerating, however, many large organisations have not yet embraced this technology as they are not sure how to manage the new security risks it brings. But the reality is that employees are doing it anyway – using their own devices for work activity, and the longer organisations delay proactive management via a combination of technology, corporate policies and employee education, the more they put their organisation at risk.
Aussies love their smartphones – it is estimated that almost half of the Australian adult population has a smartphone today and it is predicted that 90% will by 2015*. Similarly, take up of tablets is exploding – the launch of iPad 2 in March helped drive sales so that tablet unit sales in Australia for the first five months of 2011 exceeded the full year figures for 2010**. And how many of us are hoping one will be tucked under the Christmas tree at the end of the year? It is little wonder that these same devices have made their way into the workplace, albeit often unofficially.
The second annual Consumerisation of IT study***, conducted for Unisys by market intelligence firm IDC, shows that the use of consumer-style technology in Australian workplaces has accelerated over the last year: In the last 12 months the proportion of Australian workers who say they use iPhones for work purposes has grown from nine per cent to 28% and iPads and other tablets has grown from 14% to 25%.
Our research suggests that the acceleration in consumer technology used at work is driven by the desire for greater mobility. These devices aren’t treated as just cute gadgets – employees see them as critical devices that will replace their desktop or laptop computers.
Furthermore, employees are not waiting for their employers to adopt the technology – they are bringing in and using their own devices. More than a third (35%) of the devices used for work in Australia are personally owned – this is the BYO technology (BYOT) phenomenon.
BYOT may offer employers an easy way to reduce capital expenditure, and improve employee morale by allowing employees to use their preferred devices, but if left totally unfettered a number of issues will eventually rear their ugly heads. For example: who is responsible for insurance and maintenance, what help desk support is available, what legal rights does the employer have to access information stored on an employee-owned device? How do you mandate appropriate security measures? What happens if the employee leaves the company? And so on. These issues can be addressed only via a formalised BYOT program that incorporates a mix of procedures, policies, education and technology – but better to do it up front so that everyone knows where they stand and understands their responsibilities.
Right now unofficial BYOT is rife in Australian organisations and as a result, many employers are not aware of the extent consumer devices are already used in the workplace. While a quarter of Australian iWorkers say they use tablets, employers estimate only eight per cent of employees use them. Similarly 28% of employees say they use iPhones while employers estimate only 16% do. How can you secure your IT infrastructure if you are not up to speed with what is connected to it?
Why Are Organisations Leaving Themselves So Exposed?
Employers do recognise that consumerisation of IT and the resulting BYOT offers advantages of increased morale and productivity; frees the IT organisation from some hardware support requirements; and allows capital cost reduction.
However, over the last 12 months, employers have moved from ‘blissful ignorance’ to ‘paralysed awareness’ in the face of consumerisation of IT. They are more cognisant of the impact that mobile technologies and social media are having on their employees and their business, but are nonetheless daunted by the potential issues – with security concerns at the top of the list. Other concerns cited include challenges in developing corporate polices, difficulty in building a business case, managing the balance of work and personal time, and drain on company network bandwidth.
In our research, the issues that employers identified as needing attention were:
- improving security of data and access
- strengthening policies and compliance
- determining the best way to deliver IT support
- setting up employees with mobile devices
- transforming the data centre to effectively deliver data and applications to support mobile device use.
However, with so many competing priorities, these same employers are overwhelmed and don’t know where to start. Unfortunately, the longer they delay in doing so, the harder it will be for them to manage these issues and realise the business benefits they could achieve by embracing consumer technologies.
Where Do You Start?
Security is the number one barrier, so it should also be the number one action. The following steps are recommended to get started:
- Get a lay of the land – conduct an audit to find out what is being used now and secure it with both technology and policies to prevent business-critical data being compromised (this is covered in more detail below).
- Look forward – determine which tools will offer the greatest productivity benefits.
- Decide how to manage devices and support users most effectively – consider self-service support models.
- Identify areas that offer the greatest productivity gains – think beyond the mobile device and look for innovative ways to modernise or develop new enterprise applications that make use of mobile devices and social media to improve or replace obsolescent business processes.
How Can You Secure A Butterfly?
Because consumer technology is mobile, a new approach to security is required. To protect itself, an organisation needs to create an extended security model that secures not only the network infrastructure but also the new ‘end-points’ (mobile devices) being used to access the corporate nework. Several areas need to be considered:
- enhance endpoint security
- control network access
- mitigate risk via corporate HR, IT and legal policies
- educate employees
1) Enhance Endpoint Security
Any device used to access the network is an ‘end point’ – whether a desktop PC or smartphone. When employees take devices out of the office, they become an exploitable leak in the organisation’s system.
An unsecured endpoint may allow a cybercriminal to access sensitive data stored on the device or corporate network by collecting and re-using an authorised account and password, or by taking advantage of the user’s access when he or she is logged in. To combat this, organisations need to approach endpoint security from a combination of angles covering the device, network and data.
Restrict access to the device itself by
one of the many access management and identity authentication tools available including strong passwords, biometric scanners, smartcards and security fobs. Shockingly, according to the October 2010 Unisys Security Index**** 58% of Australians never lock their mobile device with a password – such a simple step to take.
Use host-based firewalls, anti-virus, anti-malware and identity management software to better secure the endpoint. In addition, whitelist or behavioural-based threat protection can identity known and unknown threats so that they can be quarantined and eliminated.
Consider using encryption technology to provide an extra layer of protection for highly-sensitive data downloaded to and stored on devices.
2) Control Network Access
Network Access Control (NAC) provides a layer of protection against improperly used, infected or rogue endpoints attempting to connect to internal network segments.
NAC does this by requiring devices to prove they are safe to connect to the network (pre-admission), and dictates where endpoints are authorised to go and what they are authorised to do. If the endpoint doesn’t meet the entrance criteria, NAC technology can quarantine and remediate non-compliant, infected or miss-configured systems.
3) Mitigate Risk Through Policies
Technology is only part of the security solution. Update corporate policies to define and mandate the behaviour required of employees. Take a comprehensive approach by involving not only IT, but also human resources, legal, risk and senior management teams in setting and managing policy. Polices and employee education programmes should cover:
- where and when devices can be used
- securing devices used to access the corporate network
- rules for copying sensitive data on to external media such as USB devices, DVDs and CDs
- password management
- data ownership and surrender/access, distinguishing between applications and data of the organisation and the employee
- appropriate use of technology in the workplace, including HR issues such as workplace bullying, confidentiality breaches and so forth
- appropriate behaviour, confidentiality and disclosure on social networking sites
- consequences for breaching policies or programme guidelines.
4) Educate Employees
Use an ongoing communication program to educate and remind employees about the potential security threats and the role they play in protecting company infrastructure and data. Employees need to be conscious of their responsibility to protect and secure devices that enable access to the corporate network or sensitive information. Not only do they need to be familiar with the corporate polices, they need to understand that they are mandated and they need to know the consequences of not complying with them. n
*The Telsyte Australian Smartphone Market Study 2011-2015 – http://www.telsyte.com.au/?p=1140
**Telesite media tablet research – http://www.telsyte.com.au/?p=1048
***Unisys Consumerisation of IT study – http://www.unisys.com/unisys/ri/report/detail.jsp?id=1120000970016710178
****Unisys Security Index – www.unisyssecurityindex.com.au
This is an opinion piece and is intended only to provide a summary of the subject matter covered. It does not purport to be comprehensive or to render advice. No reader should act on the basis of any matter contained in this piece without first obtaining specific professional advice.