Consumerisation or Bring Your Own Device are two ugly words for what is now the popular trend of people using their own personal consumer technology at work.
It can involve the use of mobile devices, home computers, email services such as gmail and hotmail, social networking systems and blogging.
Consumerisation is a symptom of changing work practices, largely brought about by the internet, and is a sign of of a move towards employee power.
Staff have begun to demand the right to work remotely, either from home, or on a mobile basis to improve their work/life balance.
The demand for talented staff and skills shortages in particular areas have meant that those staff have had the bargaining power to be able to set their own terms to employers – with many employees opting for improvements in lifestyle over money.
As one of the most frequent demands from staff, particularly young people, is to work from home, they have also opted to use their own technology.
This has happened for two reasons: because staff feel comfortable using their own technology and say they are more productive as a result, and because they can present the use of their technology as a cost saving to employers.
This has led to a rise in the use of personal laptops and mobile devices for work-related tasks.
However, this means companies have to protect either data or access to data on devices that are outside of their control. In the case of many mobile devices this has meant that they are often either unencrypted, or in the case with smart phones often without computer security protection.
It has also meant that they have had to allow the physical connection of a number of different devices to their office networks.
In many cases, for example, staff are allowed to upload songs and personal data as it is thought this improves productivity.
The practice of using personal technologies while at work has also expanded to the use of social networking, blogging and web email systems, all of which present security issues of varying types.
Their use can take data out of a company’s control because its data can be transmitted through them – and firms do not have the right to monitor them.
Whatever the rights and wrongs of the Bradley Manning case, it is the highest profile example of Consumerisation possible, and it illustrates the security concessions that are often made by organisations in an effort to accommodate staff and make them feel comfortable.
Manning, a US army private, was the man responsible for supplying WikiLeaks with the huge amount of material published in 2010 to the intense embarrassment of the US Government.
This junior soldier, who was working as an intelligence analyst in Kuwait, was responsible for downloading huge amounts of data from the US Secret Internet Protocol Router Network and the Joint Worldwide Intelligence Communications System. He was able to do this because he and colleagues were allowed to connect and load CDs into the network.
In this transcript from Manning’s conversation with the hacker Adrian Lamo, which Lamo turned over to the US authorities, Manning elaborated on how easy it was to siphon off data from classified networks.
(1:52:30 pm) Manning: funny thing is… we transfered so much data on unmarked CDs…
(1:52:42 pm) Manning: everyone did… videos… movies… music
(1:53:05 pm) Manning: all out in the open
(1:53:53 pm) Manning: bringing CDs too and from the networks was/is a common phenomeon (sic)
(1:54:14 pm) Lamo: is that how you got the cables out?
(1:54:28 pm) Manning: perhaps
(1:54:42 pm) Manning: I would come in with music on a CD-RW
(1:55:21 pm) Manning: labelled with something like “Lady Gaga”… erase the music… then write a compressed split file.
This is perhaps an extreme example, but it underlines the potential damage that can be caused if an organisation has a hazy policy on Consumerisation.
The change in work practices outlined above has also seen staff being allowed to keep social networks such Facebook and instant messenger services like Skype on while they are in the work place.
The logic behind this is hat it keeps staff happy and obviously more importantly from a company point of view, that it allows the company to have a social network presence that is regularly monitored by employees; using social networks and instant messenger services such as Twitter can allow staff to develop much deeper relationships with clients than was possible in the past.
This means that as people get to know each other better positions of trust develop that are enormously useful to a company.
But there is a flip side which is that a channel of communication is also open to the world that can let malicious software into your network and let your data and intellectual property out.
Blogging, a practice that is slowly becoming less fashionable, is also a potential security risk for companies.
The technology analyst firm Gartner recommends that people blogging during company time should be discouraged from broadcasting sensitive company information or from putting out information that might present the company in a bad light.
This would of course involve company officers in monitoring anything that is broadcast on the web, but such control may prove impossible in the long run.
Protecting your company
1. To deal with the trend companies must research the potential dangers associated with all of the devices being connected to their network.
2. Identify the value of data in your company to your company. You should do this in two ways: first, what is your data worth to someone else and who would want it and why; secondly, what is your data worth to the running of your business and what would it mean to your business if the data were lost or corrupted.
3. Your company must draw up a strictly-defined policy on the use of technology at work, explaining what is allowed and what is not. This should be backed up with basic information about technology measures the company has taken to enforce this policy.
4. This policy should aim to state the company’s position and the need for it, and should not provide any information that might aid a rogue employee in either identifying sensitive data or evading technological controls of the export of data.
5. Allowing the physical connection of unprotected devices to a company network is an easy way for malicious software to make its way onto your systems. It also represents a threat because of the potential for data to be downloaded from your system, either by a member of staff or by malicious software. Thus you must either have security measures in place to prevent this, or a policy regarding it. There are a number of computer security companies that offer systems that will lock down particular parts of your system – such as the USB port – to prevent unauthorised access to your company network. Many of the anti-virus systems on offer will also alert you to the fact that a device has been plugged in and offer to scan the device for viruses.
6. You should seriously think about what Consumerisation means to your company data and what that may mean to you as a company. Does it for example, potentially expose you to litigation in the event of loss of data, or to censure from the information Commissioner’s Office or the Financial Services Authority for not looking after data correctly? What would it mean to you if you lost your data to a competitor? What would it mean to you if you lost your data to an employee who wanted to start up in competition to you?
8. If you decide to restrict the use of social networks ask your IT advisers to configure the Web security gateway to block any services (such as social networking) that you do not want staff to use in the workplace.
9. It is possible to buy software that can stop sensitive information from leaving your network; this is known as Data Loss Prevention software