In the face of unstoppable corporate and consumer adoption of mobile devices, security and privacy implications of cloud and mobile are a deepening concern for many security professionals. Most organizations are just beginning to adopt and integrate “bring-your-own-device” policies, putting them several steps behind their employees. IT staff are overwhelmed with the number of devices coming and going from the workplace and connecting to corporate networks. They have insufficient control over applications and security settings on employee-owned devices, and are hard-pressed to monitor the individual use of external cloud services such as DropBox, Google Drive, BaseCamp and hundreds of others.
Ultimately, employers must accept that working on mobile devices while using cloud apps and services is quickly becoming the de facto IT infrastructure. It is now imperative that employees understand the risks and their responsibility to protect corporate and personal data. A lot of time and money has been spent on employee security training over the last several years, mostly with disappointing results. How can IT and business leaders embed security into this evolving infrastructure?
Bring your own everything
A mind-blowing 1.3 billion smartphones were sold worldwide in 2014. Mobile devices have become simultaneously more ubiquitous, more powerful and smaller, with “phablet” shipments surpassing portable PC shipments for the first time in 2014. It has become virtually impossible to track them as they come in and out of the workplace. The trend of employees bringing mobile devices, applications and cloud-based storage inside the corporate network perimeter is growing apace.
The Ponemon Institute 2015 State of Endpoint Risk indicates a sharp increase in potential risks over the past year. The survey reveals that 80% of respondents say smartphones are a concern (up from 50% in 2013). Also of significant concern are flaws in commercial third-party applications (69%), mobile remote employees (42%) and the negligent insider risk (41%) and malicious insider risk (30%, double from 2013). Yet many employees indicate that they are unaware of BYOx policies, or that the policies in place are easily ignored. In the era of BYO-everything, this is beyond alarming.
The average person uses a smartphone or tablet on autopilot, without much regard for the nature of the task, the physical context, or the security of the connection. Hackers are ready to take advantage of those who use their devices for personal reasons or access their personal cloud storage while at work, forgetting that they’re transmitting over the corporate network. A well-organized attack can exploit mobile devices, apps and cloud storage by using them as a bridgehead from which to infiltrate an organization.
The success of a chief information security officer will be determined in large part by how well his or her team accommodates the personalization of IT and the increasingly diverse, interconnected, technological ecosystems present in every workplace, often lurking in shadowy corners. Mitigating risks presented by the new BYOx ecosystem will require IT departments to rapidly and effectively deploy enterprisewide strategies, policies and management technologies. While safeguarding an organization’s data is of the utmost importance, empowering employees to safely use their own devices, apps and cloud services is essential to better workplace productivity, morale and talent retention.
The forecast remains cloudy
Although there’s an overabundance of acronyms in IT’s alphabet soup, we have one to add: bring your own cloud. Today’s global organizations need a full understanding of the extent to which they rely on cloud storage and computing. They may have data in the cloud they don’t even know about. The simplicity of acquiring cloud services makes it easy for departmental teams to store information there. Externally, suppliers might store the information you’ve shared with them in the cloud. Small and medium enterprises are known to have widely embraced cloud services as flexible and cost-effective solutions, but may not have the expertise to deploy or maintain them securely.
Policies forbidding the use of cloud services are doomed to fail. Security teams should instead work with business stakeholders to find the best solutions, embracing cloud services that can deliver what internal systems cannot. IT should provide expert advice, discussing the benefits and risk of using cloud services. Such a proactive approach will make it less likely that unmanaged initiatives will remain in the shadows, bypassing processes and defenses.
Information-centric approach to managing risks
Clearly, an information-centric approach to managing security risks is essential; devices not issued by the company are too numerous, varied and vulnerable to be effectively managed endpoint by endpoint. Focusing on protecting information and meeting compliance requirements will keep your BYOx program usable and scalable. You must be able to trust your people to do the right thing; this is only realistic if expectations are made crystal clear through consistent training, monitoring and enforcement.
Awareness is not enough
It’s important to remember that behaviors can be difficult to change, and security awareness is transitory. Companies expect that educating end-users about risky behaviors and potential negative outcomes will motivate them to take security seriously and act accordingly. At this point, it is clear that the reliance and resources focused on awareness initiatives have been misplaced.
Organizations need to shift from promoting awareness of the BYOx problem to creating solutions and embedding behaviors that affect risk positively. Here are 10 principles that the Information Security Forum has developed to help businesses embed positive information security behavior:
Solutions should be risk-driven
1. Let risk drive solutions. Ensure that each solution has a direct link to business requirements and addresses a defined risk. Using risk reduction as the driving force enables a strong baseline and measurement criteria to be defined upfront and applies resources more efficiently.
2. Complexity increases risk. By looking closer, organizations may find that a complex system or cumbersome process is inhibiting the right behaviors. Our leading ISF members strive to make systems and processes as simple and user-friendly as possible.
Embed behavior change into corporate culture
3. Embed positive behaviors. People are an organization’s biggest asset and also potentially its biggest risk. People – how they make decisions and behave in key moments – must play an essential role in strengthening organizational resilience.
4. Empower people. Winning hearts and minds changes both attitudes and mindsets. As far as possible, people should be trusted, motivated and empowered at all levels of the organization. Information security practices embedded in the business culture become “how things are done around here.”
Set realistic expectations for people and programs
5. Set a realistic timescale. There is no silver bullet. Don’t expect significant results within a month or a complete change after a year: think in terms of three to five years.
6. Aim for “stop and think.” Successful solutions enable people to make the right decisions – or know when to seek advice – when faced with the unknown. If people stop and think and take the appropriate actions in key moments the battle is won.
Be accessible and engage people on a personal level
7. Move from “tell” to “sell.” Develop a strong brand and identity, and tailor solutions to people’s risk profiles where possible – “one-size-fits-all” solutions fail to engage people on a personal responsibility level.
8. Tap into the right skills. While information security teams play a vital role in providing context and content for a solution, expert skills (e.g., training, marketing, writing, etc.) are required to design and implement distinctive solutions that people will buy into.
9. Identify and integrate champions into efforts. Top-performing organizations recognize that a network of trained information security champions from within the business plays a vital role in introducing and embedding positive information security behaviors.
10. Hold people accountable. Successful organizations demonstrate that information security is important to them by rewarding good behaviors and addressing bad behaviors constructively – just as they would with any other substandard performance.
Act now to realize benefits and prevent disaster
BYOx initiatives promise significant benefits such as improving productivity, attracting talent and reducing costs. But these business benefits will only emerge if the initiative is carefully managed. Shifting from a culture of awareness to embedding positive behaviors is key.
Organizations with the appropriate expertise, leadership, policy and strategy in place will be agile enough to respond to the inevitable security lapses. Those who lack these strengths could be left behind by competitors or severely damaged by breaches.
Steve Durbin is managing director of the Information Security Forum. His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was SVP at Gartner.
Editor’s Note: Welcome to Analyst Angle. We’ve collected a group of the industry’s leading analysts to give their outlook on the hot topics in the wireless industry.
