You've seen it happen dozens of times. One of your business buddies shows up with the latest gadget from the Best Buy ad over the weekend, and now he wants to use it at work. It might be a new smartphone, an external hard disk or even a personal wireless access point, but whatever it is, it's not something that has been approved to work in your business.
Normally you wouldn't care, but as an IT administrator, you have to listen to your buddy gripe about how awful it is that the evil network folks won't let him just plug and play. Surely there's a way around this, right? The answer, of course, is maybe.
The secret to living with the inexorable incursion of consumer technology is to embrace what's good, control what's risky and educate people about those things that really are unsuitable for use in the office. But it's important to know that most companies can benefit from the innovations in consumer electronics as long as you're prepared.
Being prepared can mean a lot of things when it comes to allowing consumer technology to exist within your company. In addition to education, it can mean adopting the right policies so the technology can be integrated safely, and it can mean not sticking with outmoded practices that effectively drive your employees to use their own consumer products instead of what you provide for the enterprise.
Personal e-mail use by employees is an excellent example. Many, perhaps most, enterprises have a limit on the size of e-mail attachments. Often this is in place to prevent your e-mail server from filling up with too much clutter. But there's another side to this issue. If you don't make it possible for your employees to send large files to each other when their work demands it, then you're effectively giving them no option but to go outside of the enterprise, and incidentally outside of the security and audit trail that goes with it.
The easy solution is raise your e-mail attachment limit to something that will at least allow a PowerPoint presentation to be sent from one office to another. You should also probably provide some means of sending larger files with programs such as YouSendIt or Accellion managed file transfer products. "Organizations should be thinking about how they should outfit their employees with file transfer," said Accellion Chief Marketing Officer Paula Skokowski. "Employees would not be looking at work-arounds if the company provided them."
The same is true for other employee-provided technology for getting their jobs done. Handled right, it can be a benefit to the company. "I always thought it was nuts that if someone was willing to spend their own money to help them do their job better, that you wouldn't embrace it," said Doug Neal, research fellow for the Leading Edge Forum Executive Program. Neal said companies need to have a different attitude toward employee-owned gadgets since, in the long run, it will probably be impossible to keep them out of the workplace. He suggests engaging employees in the solution, and helping them use their personal devices to improve their productivity where possible. "We're creating security problems if we don't adapt in the way we should," Neal said.
But of course that doesn't mean you can just throw open the doors and let any employee bring in anything at all. You're still responsible for security and compliance, so you have to make sure that whatever devices you allow to handle sensitive data comply with security requirements, and that their use is auditable. It also means that you need to have policies about how such devices are used, and how to enforce those policies.
In general, it's important to either provide the products employees need or help employees control the devices they bring to work. In many companies this has become a necessity as many have moved to allowing or requiring employees to provide their own smartphones and laptop computers. If you're requiring that employees have the devices, then you need to also make sure that they can handle them responsibly.
Edy Almer, vice president of product management and marketing at Safend, pointed out that helping employees do the right thing is the only sensible course of action anyway. Almer said he's seen any number of efforts by companies to block access to USB ports, or to block large file transfers, but he said such efforts are ultimately doomed. "The users will find a way," Almer said. Worse, the result could be uncontrolled and unmonitored connections to the outside world. "You can end up with multiple connections into the organization," he said.
Almer suggested the use of software (such as that made by Safend) to encrypt any data that goes out a USB port so that there's no danger of a data breach if someone loses a memory stick, and to monitor where the data goes for compliance purposes. He also suggested that other things that drive security officers nuts, such as social networking and personal e-mail, aren't really that big a problem. "You can't block them completely," Almer said.
"You're better off allowing it but having a policy in place and monitoring transfers. If you're blocking users, they're savvy," he said, pointing out that they'll just find a way around your blocks. "You're better off allowing them to do what they want, and letting them know what's allowed."