Mobility and the Cloud – Managing “Bring Your Own Device” and Securing Company Resources
There are lots of reasons why businesses are adopting cloud and Internet technologies in great number, and supporting mobile workers is one of the big ones. In order for traveling sales people or workers in remote offices to have access to business applications and data, many organizations are turning to hosted and cloud solutions to centralize systems and make enterprise-wide access easier to deliver and manage. What many businesses are just now realizing, however, is that allowing individuals to use their own mobile devices to access corporate data is exposing the enterprise to new (and often unknown) risk with each and every device and app that gets used.
Most businesses recognize the need to secure corporate systems while allowing users to remotely access resources from home or mobile computers. However, many CIOs and IT managers are failing to address the vulnerabilities introduced through the proliferation of tablets and smartphones in the business. Many enterprises initially embraced the concept of “bring your own device” [BYOD], as it tended to encourage users to work from home or while on the road, increasing employee productivity and keeping workers more “attached” to their jobs – all without the business having to pay for the device. However, with growing numbers of reported “rogue apps” and apps that secretly collect and pass data, the potential benefits of allowing workers to use their own devices is rapidly being overshadowed by the risks involved.
Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users’ address books. …but what if the app uploads a sales representatives’ contact list and the developer then sells it to a competitor? That’s a new type of data leakage that most organizations aren’t ready for.
Phones, in particular, have not traditionally been viewed by most business owners as a primary platform for information theft or damage – other than when an employee uses one to tell someone something they shouldn’t. But in terms of intrusion, data theft, application hacking and things like that… not so much. But that was before phones got really smart. Phones that most folks carry around now are actually computers with a great deal of processing and storage capacity, and as such are just as capable of running bad programs and being vulnerable to attack as their more obvious portable computer counterparts. Perhaps they are even more vulnerable because of the “connected” nature of the device, because by its very nature it is geared towards communication of information, not just processing it.
It’s not that hackers and developers of exploits (or just bad code) are necessarily focusing on stealing your business data (well, OK, a lot of them are). Maybe someone just got lucky one day, when they first realized that the employee phone was the “camel’s nose under the tent” which would get them inside, far enough to deliver access to confidential corporate information and data someone would pay for. People tend to be the weakest element in the security chain, and exploiting vulnerabilities under the guise of “making things easier” for the user has been a highly successful approach (would you like to sign in with your Facebook account?).
..because attacks that target employees may well end up targeting the employer as well, even if the employer wasn’t the original target.
Whether it is intentional or not, the risk is very present, and every business and enterprise has a responsibility to recognize the vulnerabilities introduced with mobile device use and to do what it can to mitigate that risk. It is also important to recognize that the risk is not a purely personal one, either. Since the information held by most businesses also includes the information of others – customers, vendors, partners, etc. – it is essential that the business not expose itself to unnecessary problems (litigation, fines or penalties, or simply lost opportunity) caused by accidental leakage of confidential information belonging to 3rd parties.
For some businesses, the best answer may be to only allow use of devices the business provides, along with clearly written use policies and guidelines. This approach allows the organization to determine which applications may be installed and to dictate how the device is to be used for business needs. There are even solutions available which can assist businesses in managing the expenses related to mobile devices in the enterprise, addressing not only security and privacy concerns but also helping to optimize expenditures on mobile devices by monitoring contracts and usage, identifying underused agreements or overage charges, or even identifying contracts still in force which should have been cancelled.
For many businesses, however, allowing users to continue accessing business resources with their personal devices may be desirable for a variety of reasons, cost being only one of them. If this is the case (as it is most often in small and growing businesses), it is important to make certain that users understand what is and is not appropriate device use, and to inform users on the policies relating to apps which may or may not be allowed and why.
Some statistics for your reading pleasure. (stats drawn from summary on BostonComputing.net. They may be a bit dated, but the numbers have only increased since then.) http://www.bostoncomputing.net/consultation/databackup/statistics/
The following statistics were gathered from various sources:
- 6% of all PCs will suffer an episode of data loss in any given year. Given the number of PCs used in US businesses in 1998, that translates to approximately 4.6 million data loss episodes. At a conservative estimate, data loss cost US businesses $11.8 billion in 1998. (The Cost Of Lost Data, David M. Smith)
- 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine)
- 31% of PC users have lost all of their files due to events beyond their control.
- 34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
- 60% of companies that lose their data will shut down within 6 months of the disaster.
- 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
- American business lost more than $7.6 billion as a result of viruses during first six months of 1999. (Research by Computer Economics)
- Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
- Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
- Simple drive recovery can cost upwards of $7,500 and success is not guaranteed