News Analysis: Although consumer electronics offers some of the most innovative technology available, making it part of your business could be a problem. But only if you don't plan ahead.
You've seen it happen dozens of times. One of your business
buddies shows up with the latest gadget from the Best Buy ad over the weekend,
and now he wants to use it at work. It might be a new smartphone, an external
hard disk or even a personal wireless access point, but whatever it is, it's
not something that has been approved to work in your business.
Normally you wouldn't care, but as an IT administrator, you
have to listen to your buddy gripe about how awful it is that the evil network
folks won't let him just plug and play. Surely there's a way around this,
right? The answer, of course, is maybe.
The secret to living with the inexorable incursion of
consumer technology is to embrace what's good, control what's risky and educate
people about those things that really are unsuitable for use in the office. But
it's important to know that most companies can benefit from the innovations in
consumer electronics as long as you're prepared.
Being prepared can mean a lot of things when it comes to
allowing consumer technology to exist within your company. In addition to
education, it can mean adopting the right policies so the technology can be
integrated safely, and it can mean not sticking with outmoded practices that
effectively drive your employees to use their own consumer products instead of
what you provide for the enterprise.
Personal e-mail use by employees is an excellent example.
Many, perhaps most, enterprises have a limit on the size of e-mail attachments.
Often this is in place to prevent your e-mail server from filling up with too
much clutter. But there's another side to this issue. If you don't make it
possible for your employees to send large files to each other when their work
demands it, then you're effectively giving them no option but to go outside of
the enterprise, and incidentally outside of the security and audit trail that
goes with it.
The easy solution is raise your e-mail attachment limit to
something that will at least allow a PowerPoint presentation to be sent from
one office to another. You should also probably provide some means of sending
larger files with programs such as YouSendIt
or Accellion managed file transfer
"Organizations should be thinking
about how they should outfit their employees with file transfer," said Accellion
Chief Marketing Officer Paula Skokowski. "Employees would not be looking
at work-arounds if the company provided them."
The same is true for other employee-provided technology for getting
their jobs done. Handled right, it can be a benefit to the company. "I
always thought it was nuts that if someone was willing to spend their own money
to help them do their job better, that you wouldn't embrace it," said Doug
Neal, research fellow for the Leading Edge Forum Executive Program. Neal said companies need to have a different attitude
toward employee-owned gadgets since, in the long run, it will probably be
impossible to keep them out of the workplace. He suggests engaging employees in
the solution, and helping them use their personal devices to improve their
productivity where possible. "We're creating security problems if we don't
adapt in the way we should," Neal said.
But of course that doesn't mean you can just throw open the
doors and let any employee bring in anything at all. You're still responsible
for security and compliance, so you have to make sure that whatever devices you
allow to handle sensitive data comply with security requirements, and that
their use is auditable. It also means that you need to have policies about how
such devices are used, and how to enforce those policies.
In general, it's important to either provide the products employees
need or help employees control the devices they bring to work. In many
companies this has become a necessity as many have moved to allowing or requiring
employees to provide their own smartphones and laptop computers. If you're
requiring that employees have the devices, then you need to also make sure that
they can handle them responsibly.
Edy Almer, vice president of product management and marketing
at Safend, pointed out that helping employees do the right thing is the only
sensible course of action anyway. Almer said he's seen any number of efforts by
companies to block access to USB ports, or
to block large file transfers, but he said such efforts are ultimately doomed. "The
users will find a way," Almer said. Worse, the result could be
uncontrolled and unmonitored connections to the outside world. "You can
end up with multiple connections into the organization," he said.
Almer suggested the use of software (such as that made by
Safend) to encrypt any data that goes out a USB
port so that there's no danger of a data breach if someone loses a memory
stick, and to monitor where the data goes for compliance purposes. He also
suggested that other things that drive security officers nuts, such as social
networking and personal e-mail, aren't really that big a problem. "You can't
block them completely," Almer said.
"You're better off allowing it but having a policy in
place and monitoring transfers. If you're blocking users, they're savvy,"
he said, pointing out that they'll just find a way around your blocks. "You're
better off allowing them to do what they want, and letting them know what's