Security

How ‘Consumerization of IT' is changing enterprise security

by Srikanth RP, InformationWeek, November 14, 2011

An explosion in the number of new mobile devices coupled with a surge in adoption of new social media platforms is posing unique security challenges for CIOs

India has the youngest population in the global economy. As this young population has started entering the workforce, it has started impacting the existing practices of established companies. The younger generation, well acquainted with consumer devices such as iPad want to use their own devices to access corporate networks. The usage of consumer devices in the enterprise is spreading like wildfire, as it allows employees to get access to company information without getting the IT function involved.

While this creates a huge impact on productivity, it also exposes the organization to newer security risks. For example, company data stored on mobile devices create a risk of losing the data as mobile devices can be lost or stolen, unlike their desktop counterparts.

“The smart device technology opportunity is now outpacing an organization’s ability to secure and manage new devices and the information they access,” opines Shantanu Ghosh, Vice President, India Product Operations, Symantec. The huge growth in the number of devices represent significant risks for enterprises. According to Symantec’s Enterprise Security Survey – Millennial Mobile Workforce and Data Loss, the number of smartphones connecting to the network was increasing in 73 percent of the respondent Indian enterprises. Given the diversity of mobile devices and platforms, few organizations are well prepared with a security strategy for this emerging world.

The thin line between work and home is rapidly vanishing, and today, a rising number of companies are giving their employees the option of working from home. This makes it extremely difficult for the organization to control how employees consume or use information.

“Previously, a company’s information network ended at its firewall, and its valuable data remained relatively secure within that network. But today, data is no longer contained within the walls of your business and the network ends with the user and ultimately with the user’s device. In this environment, security is far more complex than in the past and security must go with, and where the data travels,” explains Michael Sentonas, VP, Chief Technology Officer, Asia Pacific, McAfee, on why it is challenging for enterprises to confine data within the four walls of a company today.

The trend is now of user-driven IT, and it has started to impact how enterprises purchase IT devices. “End users are influencing IT and security decisions in the workplace more than ever before forcing organizations to introduce consumer devices and Webbased services at the workplace. This is especially true when it comes to people who have grown up with technology and are addicted to their device. They not only insist on being allowed to use these devices within the enterprise but also want access to social networking and blogging sites,” states Kartik Shahani,Country Manager, RSA India & SAARC.

A research report commissioned by Shahani’s firm, RSA, underscores the growing importance of the consumerization of IT in Indian enterprises. The report found out that a massive 76 percent of security and IT leaders believed that user influence on device and application purchase decisions within the enterprise was on the rise. What is frightening however, was the finding that nearly 60 percent of respondents said that unauthorized connections to the corporate network still occurred, despite policies aimed at preventing or limiting the connection of personal devices to corporate networks.

The antisocial element of social networking

As a country with the youngest population, the Generation Next in India wants to use social networking websites such as LinkedIn and Facebook through corporate networks. The growing power of the youth can be seen from the fact that India now ranks as the seventh largest market worldwide for social networking, with websites such as Facebook and LinkedIn reaching millions of users.

These social networking websites are invaluable resources specifically for personnel in the marketing, sales or the research teams. It is common to see employees use these social networking websites interchangeably for business and personal activities. For most employees, social networking tools have become indispensable tools for building professional relationships and doing business. For example, a research report commissioned by RSA mentions that more than 80 percent of companies in India now allow some form of access to social networking sites. Of those companies, 62 percent are already using it as a vehicle for external communication with customers and partners.

That said, social networking websites are also dangerous as they are attractive targets for hackers. This is corroborated by the findings of the Internet Security Threat report (Volume 16) by Symantec, which states that last year, attackers posted millions of these shortened links on social networking sites to trick victims into both phishing and malware attacks. “Social media presents many opportunities for attackers to find personal information that can be used in social engineering to target specific individuals. It is an active attack vector for spam and malware. Whether it’s a mass attack or targeted, when users are surrounded by friends, it’s simple to get them to click on seemingly legitimate links,” states Ghosh of Symantec. This trend has dangerous implications for enterprises.


Block and deny will not work anymore

Till date, organizations have taken a simple approach — most CIOs have simply blocked access to social networking websites and restricted the usage of personal devices. A case in point is Jindal Intellicom, which represents the Jindal Group’s strategic focus in Business Process Outsourcing. Being a company in the BPO sector and having access to sensitive information about its clients, Jindal Intellicom’s security needs are defined by the nature of the clients it serves.

“We have controlled access on the usage of smart phones. Employees are not allowed to use smart phones in the production area. Blackberry phones provided by the company have restricted access and can only be used for email exchange,” states Vijay Raghavan, CIO, Jindal Intellicom. The BPO firm has also quarantined confidential information with layers of access control and continuous monitoring.

 

About Author

Srikanth RP

Executive Editor

An award-winning journalist with more than 14 years of experience, Srikanth RP is Executive Editor with InformationWeek India. Srikanth is passionate about writing on topics which clearly show the business impact of technology.

comments powered by Disqus

Subscribe for Newsletter

Stay connected to the best business technology content every week. Subscribe to our daily newsletter now!

Slide Shows

On demand Webcast

Advanced SOC for APTs and other Custom Threats

Attend this webcast and get a closer look at how RSA’s Critical Incident Response Solution (CIRS) integrates the key elements to give your organization an effective and efficient incident response capability Speaker: Sudeep Das, Lead Solutions Architect, India & SAARC, RSA Date and Time: 26 June, 2014, 3:00 - 4:00 pm