The unexpectedly rapid consumerization of IT seen in 2011 is expected to continue its momentum into the new year, presenting a variety of challenges to companies around the world. However, according to independent information security advisors from ISACA, plenty of the lessons learned this year can help IT administrators address this important development moving forward.
The consumerization of IT broadly refers to the process by which technologies rising to prominence in consumer segments eventually gain acceptance in the business community. While this has trend has been characterized by a wide variety of hardware and applications in the past, the emergence of smartphones and tablets has exponentially amplified its implications in recent years.
Delighted by the convenience and versatility of these powerful mobile computing devices, employees are bringing their personally-owned gadgets into the workplace in record numbers and placing IT departments in a precarious position. Whereas corporate technology teams may have been able to ignore this phenomenon and postpone action just a few months ago, data security and compliance concerns will necessitate the development and execution of enlightened mobile device management strategies in 2012.
One popular approach has been the embrace of a bring-your-own-device, or BYOD, paradigm. By allowing employees to utilize their own smartphones and tablets, companies can gain the flexibility and productivity advantages offered by these devices without the expense of purchasing a fleet of new handsets to supply their workforce.
While some have derided this as a short-term, band-aid approach, it has already gained traction in some of the least digitized and most heavily regulated industries. According to ABA Banking Journal, the BYOD landscape is dominated by large firms in the financial services, insurance and healthcare sectors. Citing data from Good Technology, the journal suggested that 80 percent of all companies supporting BYOD frameworks employ more than 2,000 workers.
However, this increasingly common strategy presents unique data security challenges for corporate IT administrators tasked with managing a wide range of devices and heterogeneous applications. This trend has also diffused authority across the organization in many cases, putting employees squarely in charge of security decisions they may not be qualified to make.
According to a recent global survey from the Accenture Institute for High Performance, 43 percent of employees now feel comfortable and capable of making technology decisions autonomously. This has manifested itself in everything from the use of unauthorized consumer applications to the avoidance of key system updates.
“Employees feel increasingly empowered to make their own technology decisions and say that corporate IT is just not as flexible and convenient as the personal consumer devices and software applications they use in their personal lives,” explained Accenture executive research fellow Jeanne Harris. “Employees are surprisingly willing to pay in order to use the technologies they love at work, and as a result, they are going to use them – with or without their company’s approval.”
Yet despite the well-publicized drawbacks, few companies have been willing or able to resist a BYOD paradigm. As a result, ISACA analysts have focused their efforts on developing and distributing the key insights that will help organizations leverage the advantages of the mobile device management strategy while minimizing security risks.
"Organizations that embrace the BYOD trend need to consider a two-pronged approach to security by focusing on both the device and the data it can access," CA Technologies vice president and ISACA spokesman Robert Stroud advised. "In 2012, we should see an increased focus on the mobile device and its access to information. IT will need to answer questions such as, 'Who is accessing corporate information, when and from what device? Is the device trustworthy?'"
To bolster corporate data security, IT administrators must first quantify the number of endpoints they need to protect. This process may be tedious, but accounting for all devices and tying them to a specific user increases accountability and forms the framework for a solid security plan.
Once these endpoints are identified, administrators must ensure they have adequate visibility to monitor actions across the network. According to the Register, routine event logging can help create a baseline of activity and help future passive scans identify abnormal unauthorized access patterns and other suspicious behavior before it's too late.
After this perspective is established, IT teams must also address how employees are using their devices outside of company jurisdiction. In the high-stakes game of corporate data security and compliance, trust is no longer an effective strategy in the face of constantly evolving threats. Instead, remote management capabilities and explicit usage policies are in order.
Remotely wiping data after a set number of login attempts, or once the employee realizes his or her device is missing, can keep sensitive information away from prying eyes. Centralized management and regulated application downloads can also close many of the gaps exploited by mobile malware strands.
Data Security News from SimplySecurity.com by Trend Micro