In today’s business world the integration of consumer products in everyday work life is becoming easier and easier for the end user. This can present challenges for management and tech teams alike. What security risks does this present? How do we stay within compliance while allowing users to bring their own devices and software to the office?
More and more these days I am setting up email accounts on non-company owned devices or installing consumer focused software like Dropbox on users PC’s. Many managers present concerns over control and security of things like this. Think about your own work PC, how many non-business related applications do you have installed? Do you have your work email synced to your personal handheld? These types of situations can be concerning when control of sensitive corporate information leaves the security grip of the business. How can we gain peace of mind and allow users to continue to rely on their own devices or applications in the business environment?
Let’s take a look at file storage and sharing. The big one that comes to mind and we see all the time is Dropbox, so let’s use this as our example. Like many others, Dropbox is a free service that allows users to store data on servers that are available to the internet (or simply – the cloud) and seeing how over 100 million people have signed up for the service since its inception in 2008, you are bound to see it in your workplace. Dropbox lets you drag and drop files into a folder which are immediately synchronized to any machine that is running the same Dropbox account. This is essentially, the new and improved floppy disk or flash drive (The mention of which will cause IT admins to break into a cold sweat). Many users rely on Dropbox and consider it vital to their job role. Are we trading one risk for another here? I should mention that I don’t want to pick on Dropbox specifically as it definitely offers value for business users.
One thing a service like Dropbox eliminates is the possibility of the user leaving a flash drive full of company files at a friend’s house or losing it in a taxi over the weekend. Dropbox does its best to secure and encrypt your data, so it isn’t visible to maliciously driven individuals on the internet. But what are the risks? For one, it’s a service that can go down. If users store critical files in, and only in their Dropbox folders and the service becomes unavailable like it did earlier this year (see resource section at the end of this article) then you will most certainly experience a loss of productivity for said user. Another issue might be – What happens when the user leaves the company? How can you ensure that the user isn’t walking out with sensitive business related data in their Dropbox folder? Is the company allowed to go into the user’s personal Dropbox account to retrieve or delete anything that is work related? What happens if a Dropbox account becomes compromised? Also, Dropbox currently doesn’t have compliance with HIPAA, SAS 70 and FERPA security standards (See resource section below). For some organizations, these are straight deal breakers and that’s why al lot of IT departments have been diligent in blocking access to services like this.
In saying that, and with mostly anything, developing proper policies and procedures can mitigate most of the above issues related to services like Dropbox. It is also important to mention that there are other options available and like Microsoft’s Skydrive, Google Drive, iCloud and Box.
D-Tech Consulting currently offers clients a cloud storage solution that is fully managed, network specific and secured, called Sync Tool, which offers the company full control over the data within. If security if a major concern, a service like this is a far better option than a user controlled service like Dropbox. The bottom line is, it is of utmost importance not to overlook what applications your users have installed and are using in your network. Services like Dropbox definitely have their place in the Business world but require careful management to keep data safe.
Next, let’s quickly turn our gaze to mobile devices in the workplace. My estimation would say that about half of companies provide handhelds to users who need mobile email and the others do not, or allow users to sync corporate email with their personal mobile device. Luckily, for the latter, we do have a greater degree of control over this. The majority of reputable organizations that have corporate email run Microsoft Exchange server, which provides a service called Active Sync that allows mobile phones to connect to corporate email. Active Sync provides policy options that allow administrators to gain some control over the user’s device. Things like requiring a lock screen password, specifying minimum password length, designating how long a device can be inactive before requiring a password, specifying how many times an incorrect password can be attempted on the phone before the device is wiped and most importantly – the ability to remotely wipe the users handheld. These options go great lengths in providing peace of mind for IT admins and security minded managers and CEO’s. The terms in which the user and company agree on should be clearly stated and signed off on before corporate email is added to a personal device. With this done, you can rest easy and so can your users.
As with anything, careful planning and pro-active monitoring of your network environment provide the best security to keep your business protected. This is why you will continually hear me reiterate this in most posts within this blog. As we see consumer focused products continue to make their way to work, we should be ever diligent in evolving policies and procedures to keep in line with security needs. Happy computing!