The numbers are in: Senior managers are moving data to the cloud with or without company sponsored software.
The digital forensics and security services company, Stroz Friedberg, recently published a survey that found that nearly 75% of information workers in the United States share corporate data via personal email and cloud file sharing accounts. The percentage of employees uploading files jumps to 87% when the sample is restricted to the data habits of senior managers.
The statistics suggest some eyebrow-raising possibilities:
- Financial projections saved on Box.com.
- Management meeting minutes stored on a MediaFire account.
- Customer data sent to and from a Hotmail address.
The findings of the study also illuminate a pressing management issue: What can be done to mitigate the risks associated with data escaping the company-sponsored IT eco-system?
What’s the big deal about using personal emails and cloud file-sharing services?
The prospect of proprietary information escaping the enterprise—especially sensitive financial and accounting data—is a significant security issue. Intellectual property theft alone costs US companies $300B annually, according to the digital security experts at CSOOnline.com. Expand the focus to include instances where the data may not be stolen, but simply gets deleted or corrupted, and the scope of the issue only increases.
According to a Cisco survey, unsanctioned software usage deserves much of the blame for data loss. Cisco found that 74% of US based IT professionals attribute half of their data loss incidents to the use of unauthorized programs. Even worse, preventing unauthorized program use is only likely to get more difficult as more applications shift to the internet. IT departments’ silver bullet of disabling users’ ability to run executables and install programs themselves doesn’t apply to web applications where the only software needed to run the program is a web-browser.
Transmitting business files with web-based email and file-sharing applications also presents a dual threat from a security perspective. Not only does it prevent technical managers from ensuring the presence and proper usage of application security protocols, it takes data outside of the protected company network.
Consumer webmail and file-sharing services general don’t offer the same level of advanced security control found in business class applications. And even if they did, it’s not a safe practice to rely on individual employees to optimize security settings that do exist in their personal cloud accounts. Specific data risks typically include:
- Weaker password protection
- Less likelihood for users to verify via two-step authentication
- Reduced or eliminated use of encryption during data transmission
- Diminished opportunities for data back-up and redundancy
- Decreased visibility to monitor for suspicious data patterns
- Increased chance of inadvertent data sharing.
While consumers have responded overwhelmingly positively to the flexibility offered by web-based email and file-sharing (Gmail claims 400M+ users, Dropbox 100M+), many security experts are less impressed by the business usage credentials.
“Until Dropbox adds ….stronger security measures, and all employees adopt them, businesses that use Dropbox should inform employees that anything they upload to the service will be treated as “public”—that is, as if it was published to a public Google Group, Yahoo mailing list, or the like.”InformationWeek.com, “5 Dropbox Security Warnings for Businesses”
Along with social media and other heavily used web services, webmail and file-sharing services also constitute an obvious and attractive target for hackers. In December of 2013, CNN.com reported that 70,000 Gmail, Google+, and YouTube accounts had their passwords stolen as part of a coordinated effort that compromised a total of 2 million accounts across a variety of websites. It’s the type of headline that’s popped up frequently enough that it’s starting to feel like a Madlib—just swap out the name of the web service and the number of accounts affected.
What can be done?
The most popular strategy for curbing threats associated with the usage of consumer email and file-sharing thus far has been user education and policy enactments. Companies are running into resistance, however. A recent ComputerWorld article identified:
“More than 75% of corporations have policies that prohibit the use of consumer online file sharing and collaboration tools, yet employee use of the services is still rampant.”
Some companies with a more aggressive security stance are simply blocking websites to deal with the threat. The 2013 Statista Workplace Survey found that 9% of the American employees studied have had webmail sites (like gmail.com and outlook.com) blocked at work.
Blocking sites isn’t always an option, though. Because of either a legitimate need for specific sites or an aversion towards creating employee distrust with Big Brother-ish controls, businesses are often reluctant to block websites.
Another option: Eliminating the need to take data out of the original system
According to the Stroz Friedberg data, the most common reason employees upload work files to email and file-sharing accounts is a preference for using their personal computer.
The tendency of many employees to prefer using their personal computer is something that businesses should consider carefully—especially when purchasing enterprise applications and making decisions about how they are deployed.
Really, the most effective way to prevent sensitive data from leaving the company network is to eliminate the need to export it in the first place. If employees are able to use applications from personal machines, one of the major motivations to email or file-share work data can be eliminated.
Whether or not employees should be permitted to use their own devices to access business systems is a complicated issue. It’s controversial because it introduces a host of new security concerns related to supporting user machines. The controversy underlines the fact that security is often a trade-off between one set of issues and another.
The cost and productivity ramifications of supporting a bring your own device (BYOD) approach continue to be hotly disputed. (A NetworkWorld.com piece recently presented thoughts from business executives on each site of the debate.) But it’s worth expanding the conversation to examine a potentially unexpected and under-appreciated security benefit that BYOD can offer.
Modeling a BYOD-based risk mitigation strategy
Consider the case of a CFO who spends much of his time working within accounting software or an ERP program. There are any number of reasons a CFO might export files and send them to himself—especially if he lacks client access to the ERP application on his personal machine:
- Insufficient or difficult to use reporting capabilities might prompt an export of data for further manipulation in a spreadsheet program.
- A meeting with business partners could lead to the export of data for reference.
- Disconnected applications can easily lead to a need to export data to collate it with information from multiple sources.
- An executive unwilling to unplug during nights, weekends, or vacations, may choose to keep himself informed by exporting the latest numbers for reference while away from the office.
Historically, many business have opted against supporting ERP application access from outside their internal company network to keep data away from the threats of internet transmission. However, the revelation that financial data is making its way to consumer cloud apps anyway is forcing many companies to rethink this approach.
Essentially, allowing IT to support applications on a BYOD-basis acknowledges the reality that data is making its way outside authorized applications. And effectively extends IT’s influence to impact a larger percentage of the total corporate data security profile. Specifically, BYOD-based support to business applications mitigates the security threat in two significant ways.
- Business class applications are generally designed to much higher security standards than free, consumer class software.
- Your company’s IT department retains data control, improving the odds that the more robust security options offered in business software systems are fully utilized. While consumer services like Dropbox will undoubtedly continue to invest in improving security, supporting your company sponsored applications provides the opportunity for your IT experts—rather than Dropbox and your company users—to determine your security standards.
Extending BYOD access via software as a service (SaaS) options may spring to mind as the obvious method to support anytime, anywhere access for your senior management ERP users. But SaaS-based cloud options are not the only choice. Traditional network-hosted solutions will work equally well, provided the client application is properly deployed and connected via secure, remote access technology. So long as an ERP program—or any business application—provides comprehensive and easy to use tools, users are less likely to shift files outside of it.
Evaluating a move to BYOD
Businesses looking to embrace BYOD in order to steer users away from risky, unauthorized web apps and toward company-sponsored software should take three concrete steps:
Consider the feasibility.
Start with an evaluation of feasibility and cost.
- Does your company have the tech-skills to support a variety of user device types?
- What productivity gains can be expected?
- How will they be quantified?
- How will your overall IT demands be affected by BYOD?
- If there are short-comings in terms of your ability to support the BYOD policy, will potential security gains be negated?
These are but a handful of the questions you’ll need to ask. BYOD offers a variety of benefits, but it’s not for everyone. Deciding if it’s right for you requires the attention you’d pay to any major IT initiative.
Target the functional holes currently leading users to lean on unauthorized programs.
Inventory all the external web applications your company employees rely upon. Make an assessment of the security concern that coincides with each external app. If the security threat of any app is significant, provide an alternative authorized application your IT department can support. And make sure your alternatives actually provide the functionality users need. Otherwise users will fall back to their old bad habits of exporting files and manipulating data outside the company network.
Design a BYOD policy.
Crafting a comprehensive policy for BYOD is not easy, but it’s necessary. A CIO.com article from 2012 explored how the IT consulting business Dimension Data enacted a BYOD program, which its Chief Information Officer, Ian Jansen, described as a “runaway success.” Jansen acknowledged the stakes involved in properly balancing their BYOD policy by observing: “If corporate IT makes it too difficult to use the device then the [BYOD] program will fail. We made sure it is very light touch but that it gave us the security which we require.”
Ultimately, employees uploading company files to webmail and file-sharing sites is just one of the risky user behaviors that IT departments contend with on a daily basis. But what makes it unique is that the magnitude of senior management’s involvement in the bad habits takes many of the typical workplace responses to policy infraction off the table. Is expanded support of company-sponsored applications on BYOD devices the answer? Given that recent data suggests 57% of global employees participate in BYOD already, we suspect it’s an IT strategy that will only continue to grow. Let us know what you think, though. Send us a tweet at @FindMySoftware with the hashtag #BYOD.