Middle East Blogger

A Middle East ERP Software, CRM Software and Technology Blog

CRM
Home About Contact Privacy Terms Sitemap  

 

Blogroll

 

Cool Companies

 

 

Salesforce.com User

 

 

W3C

 

 

A New Look at Old Security Policies

Consumer Devices and Social Media Require Another Look at Security Compliance

Your company has lots of time and money invested in hardware, software and intricate information technology (IT) infrastructure. You've got policies and procedures for information security, data storage, patch management and much more. But with all of this IT at stake, are you also paying as close attention to the personal thumb drives, personal laptop computers, smartphones, unsecured wireless devices and other unauthorized IT hardware that's brought in to your offices by your employees? And beyond hardware, are you even aware of the Web sites that your staff are accessing while they're at work, including social networks such as Facebook, Twitter, YouTube and MySpace to problem sites including porn? If you're not thinking about theses kinds of real world security and privacy breaches, then your business is at risk.

Government Technology magazine reported that many bosses aren't aware of what devices their employees are using and plugging into their corporate networks. "Recent studies illustrate that many company leaders may not know just how popular personal devices are with their staff," the story reported. "This lack of awareness can bring along security and privacy issues."

Another study, by Unisys Corporation and International Data Corp. (IDC), looked at 2,820 workers in 10 countries and how they are using personal technology and communications devices at work. The study found that "people are blurring the lines between home and business when they use consumer devices and social Web apps. Meanwhile, another study of 650 IT decision-makers found a disconnect between bosses and workers on their perceptions of how personal usage overlaps with professional usage in the workplace," according to the report. The data showed stark gaps between what staff believe is acceptable behavior at work compared to what their employers believe is acceptable.

For example, 69 percent of staff said they thought they could access non-work-related web sites at work, but only 44 percent of bosses said the same. Some 52 percent of staff felt it was acceptable to "store personal data and files on company resources," compared to only 37 percent of their employers. And in terms of the use of self-purchased IT devices at work, 95 percent of staff reported that they use at least one device that's not provided by their employers.

A separate research study found that "one in three staff would continue to use a personal device for work purposes, despite 83 percent admitting that it could pose a security risk to their company," according to British IT publication, SC Magazine. The research also found that 71 percent of the respondents use personal laptops and home computers and personal smartphones, thumb drives and CDs to "move data on and off the corporate network via these devices, and almost all carry out activities that could put company data at risk," according to the SC Magazine story. The story made the obvious conclusion that most staff do not have the same level of information security concern as do their employers.

So what's this all mean? It means that you need to have clear, well-communicated and reinforced policies for your staff so they know what is and is not acceptable behavior once they arrive at their workplace with personal IT devices they plan to use on your network, or when they plan on visiting Web sites online from their desks. And it doesn't end there. You also need to have policies for acceptable use when it comes to work being done by employees remotely, on-the-road or in the facilities of your clients and customers. This is not the time to be one of those bosses who isn't aware of the personal IT equipment being used inside your company by workers who bring the stuff in from home.

It's critical that you create, communicate and enforce rules so that your staff have reasonable expectations when bringing in devices from home. But don't be afraid to set limits on devices that truly are worrisome from an information security standpoint, such as non-company-issued USB thumb drives with their worries about computer virus dissemination, data privacy, accidental data loss and theft concerns.

At the same time, though, don't set outright bans that are overly restrictive because you'll just encourage your workers to break those kinds of seemingly perceived arbitrary rules. Set reasonable limits and be clear on why they exist. Make sure your staff know of the security and privacy threats that you are trying to prevent so they understand, abide by the rules and can help the effort.

The bottom line is that while information security must be non-compromising, there can be gray areas that you need to approach head-on inside your company so you don't have a data breach or information security compromise that will one day bite your company. Eliminate the gray areas and make sure that everyone inside your business knows how you want to manage security and privacy breaches through good planning, education, understanding, communication and reinforcement.

Some limits for what devices can be brought in from home and used at work are good and reasonable, but work with your employees to be sure that they know the reasons for the rules and that they're not unreasonably restrictive.

One caveat to keep in mind, despite information security and privacy concerns overall, there definitely are some good things that potentially can come from your staff having access to Facebook, Twitter and other social media sites while they're at work. If your staff are using Facebook and Twitter to communicate with your customers and help them bond with your company, those actions advance customer relationships. And if they can get their work done easier by taking advantage of some of the IT tools they only have at home, that can be a net gain for your business, too. So do your due diligence, create reasonable policies, talk with your employees, find ways to work it out and measure your policies for conformance.

 

 Middle East Blogger | ERP Systems, CRM Software & Technology Blog