A survey by Vanson Bourne for Quest Software, part of Dell, has found that 65% of European CIOs believe that employees share corporate data in the fastest and easiest way, regularly bypassing IT policy. 98% believe that this is caused by poor identity and access management, prompting employees to use third party sites as ‘work-arounds’. Such work-arounds, the use of systems outside of corporate IT control, is sometimes called ‘shadow IT’; and BYOS (bring your own services) is a prime example. Employees are increasingly using third-party services, such as Dropbox, to move company data from company to personal device, by-passing company security controls.
Ben Rapp, the CEO of Managed Networks, describes the process. “The initial motivation for ‘bring your own device’ came from the user, not from IT,” he blogged this week. “The reason is that users continually, and naturally look for ways to make their work easier and more efficient. IT often struggles to keep up with such demands; so while BYOD has become acceptable, IT support for BYOD often lags far behind.” The result, he adds, is that sensitive company data can be left exposed on route to, and at rest on third party cloud websites.
The Quest Software survey has quantified this threat. In the past 12 – 18 months, 30% of CIOs have had confidential HR data exposed outside of the business, while 25% have had customer and 23% have had financial information similarly exposed. That exposure provides multiple threats. Rapp points to potential breaches of the Data Protection Act, and exposure of sensitive data to both hackers and malware while outside of corporate security defenses. “And if that user leaves your employment,” he adds, “he automatically takes every file he has uploaded to Dropbox with him.”
As a result of ever-increasing reports of organizations losing corporate data, 62% of CIOs have faced increasing pressure over the past 12 months to better protect company data. According to the Quest survey, the greatest pressure is coming from internal legal teams (41%), CEOs (40%), and Regulators (33%). “Security systems,” warns Phil Allen of Quest Software, “have not been implemented with tech-savvy employees in mind. People therefore resort to the easiest way of sharing corporate data, and many do so without thinking about the consequences.”
“The obvious first step,” suggests Rapp, “is to write an acceptable use policy into staff contracts.” But he doesn’t believe that alone is enough. A recent survey by Nasuni suggests that up to 20% of all staff are already using Dropbox, and that “49% of users do not follow IT policies even when educated about the policy.”
“As the guardians of information,” says Allen, “CIOs need to rethink how they deliver IT services and tools to employees, in order to offer a better service which meets both the end-user and business requirements, whilst not introducing unnecessary risk. IT leaders also need to better educate employees about the risks of sharing corporate data on vulnerable channel.”