I just finished reading an excellent article by Ted DeZabala -- the national leader of Deloitte's Security & Privacy Services -- on Forbes.com titled, "Are You Focused On The Wrong Security Risks?" It poses several good questions about what organizations are doing to protect their corporate identity, employees and personal data. Ted raises some excellent points around the necessary procedures for how to protect your company, however I think there is a bigger picture worth addressing.
For companies that are knowledge leaders, the rise of mobile devices, new applications, social media and ubiquitous broadband are the foundation for the next wave of business management and employment change. Companies that adapt quickly and actively change the relationship between IT and end users will be better able to attract talent, execute new business models and evolve management capabilities to improve competitiveness. This is truly the first generation where employee technology is the most important and crucial business value.
It's in this context that organizations are rapidly driving change. IT is loosening its control over employee technology and letting a new generation of smartphones, tablets and employee-owned devices into the enterprise. As business drives these changes, IT end user policies and security procedures need to be broadly reevaluated.
- As employee information becomes public on personal social networks companies need new security models to fight pretexting, targeted phishing attacks and other security threats. CIOs need to be absolutely sure that the identity of every person or device accessing company resources is legitimate. It's important to note that this threat can't be addressed by limiting work use of social media: even if these tools are banned, employees who put work information in their personal social media profiles or feeds create these same risks. You can view a copy of Dell's personal employee social media policy here.
- It is crucial that company employees protect the data on their personal owned devices. This means that they will need to establish tools to containerize and secure corporate data, password rules and enable a remote wipe. These procedures need to apply to corporate and personal devices that access the network, all data and applications.
- The mobile application gold rush has created many new security vulnerabilities. Many social media applications send clear text user credentials that can quickly be stolen on public networks with a new generation of easy-to-use sniffing tools. When a criminal knows someone's credentials, they likely have access to their work email address and preferred password. All of sudden, poorly designed social media applications have become an enormous enterprise risk. Few organizations have developed policies and procedures to find and defend against vulnerabilities in third party mobile applications.
- The threat of password theft is made worse by the fact that so many applications can now be accessed directly over the Internet. For example, most software-as-a-service applications - including critical applications that store email or customer data - can be accessed by anyone who knows the URL. With an employee name and a work email address they can begin guessing passwords. If they collect the passwords through phishing or pretexting, most organizations may never catch the data breach. Procedures that "trust" a client by requiring extended credentials such as birthdate or mother's maiden name can also be overcome using data found on social networks.
The simple fact we may be forgetting is this: companies can no longer control security risks with internal policies that limit the use of devices, applications or data. As new risks continue to evolve, most organizations will need to architect security around an environment they don't fully control. Instead of fighting to control the ways in which we embrace technology, the only remaining choice for most CIOs is to adapt to it.