At the beginning of the summer, InsightaaS joined forces with Leger Marketing to investigate two related issues: the extent to which individual-owned devices (as compared to corporate-owned devices) are used to access corporate information, and the approaches used to secure these devices and the data that resides on them.
The two firms released an infographic from the initial survey of 1,500 Canadian consumers in June, and subsequently issued a more detailed report of findings. In this post, we look at three key points from the detailed report, and ask HP’s Steve Brar — global product marketing manager for HP Networking — to provide perspective on how these results might, or should, affect the strategies used by Canadian business to manage their employee’s approach to "self serve" BYOD and cloud usage.
1. The gap between "capability" and "responsibility"
The survey found that 46% of Canadians use their smartphones for work, but that 64% believe that their employers are primarily responsible for securing corporate data, and 44% believe that device manufacturers should provide more support in security corporate data; only 39% agree that "I am primarily responsible for securing corporate data.
Question: How should employers react to this dichotomy between the ability to access corporate information via smartphones, and the responsibility for safeguarding that information?
Steve Brar: Employers should educate users on security best practices while developing a comprehensive BYOD strategy to mitigate the security risks associated with mobile device access to corporate information. They can start by segmenting their network so the most sensitive information isn’t accessible to guests. By taking a unified, multi-layer approach to security, including identity-aware access control systems and comprehensive intrusion prevention solutions, combined with employee education on shared responsibility for corporate security, employers can eliminate security holes and reduce risks.
2. Many versions of (the confidential) truth
The survey found that employees use many different methods of accessing or storing business data outside the office. A majority (59%) use home PCs to access or store business applications or data; nearly half (48%) use USBs, SD cards or other storage devices to transport corporate information, and many staff members use their own smartphones or tablets (36% and 20%, respectively) to access/store corporate data.
Nor are devices the only means by which corporate data can leak beyond the enterprise walls. More than half of respondents are using cloud-based systems to store/access corporate information: 48% send information to their personal email accounts, and 23% use Dropbox or another third party cloud storage service.
These statistics are worrisome, but the survey found another reason for concern as well. Regardless of the device or service used, over 30% of employees are relying on public wi-fi hotspots to connect corporate data to personal storage repositories.
Questions: We’ve got two here. The first is, assuming that doing away with BYOD altogether isn’t an option, what can (and should) organizations do to ensure responsible handling, tracking and governance of corporate information? And secondly, what can/should organizations do to maintain integrity of corporate information in a BYOD world?
Steve Brar: Comprehensive network access control (NAC) is the first line of defense in any security strategy. NAC allows employers to define and strictly enforce identity-based access policies for specific users or devices accessing the network. The solution should leverage the existing directory services and supports multiple authentication mechanisms such as IEEE 802.1X, self-registration portals and device fingerprinting methods, and provide self-service portals to reduce support burdens.
Integration with intrusion detection and prevention systems provides a solid second line of defense against device-based and network-based threats by continuously monitoring and blocking malicious activity and malware infected devices.
Network management is an important consideration when formulating a BYOD plan. A unified wired and wireless network and single management tool simplifies configuration, troubleshooting, and reporting allowing IT departments to efficiently provision users, set policies, and ensure compliance and service levels. It also provides centralized visibility of the entire enterprise network to optimize network performance and availability, increase user productivity and satisfaction, while containing operating expenses and mitigating risk.
Employers can further enhance their BYOD program with a mobile device management (MDM) to ensure compliance with the latest anti-virus software and a comprehensive HR program to ensure employee are aware of the company mobile device policy.
3. The personal cloud
We asked respondents whether they are using cloud-based applications or storage — and if so, whether these systems were set up by IT, or by users directly without IT involvement.
As the figure below (click to expand) illustrates, just over 20% of employees has set up their own business cloud applications, and a similar proportion has built their own cloud-based storage systems. Interestingly, these figures are nearly identical to the proportions of users supported by cloud applications or storage set up by IT for business use.
To provide further insight on these issues, InsightaaS is providing our readers with access to an HP-authored white paper, Software-defined networking: A pragmatic approach to increasing network agility from HP Network Services. Click here to access the whitepaper.