Left to their own devices
Consumerisation of workplace tech has meant more IT security headaches. Fleur Doidge reports
Republican US senator for Indiana 1916-1933, James Eli Watson, is the person usually credited with coining the phrase, ‘If you can't beat ‘em, join ‘em' - rendered in the local dialect as ‘If you can't lick ‘em, jine ‘em'. When you hear the phrase today, it tends to elicit agreement from those listening, and perhaps a sage nod of the head or two as well.
There are some wars that either cannot be won, or for pragmatic reasons are best avoided. IT security is known for its conservative approach, but in business there are times when a rethink is needed that redraws the battle lines. And, according to speakers at a roundtable sponsored by Check Point, a security rethink of a similar kind is on the cards in the wake of increasing use of consumer devices and software in business IT environments.
Bob Tarzey, service director at analyst firm Quocirca, spoke at the roundtable. He says that the event focused on the trend for employees to increasingly use their own, personal, self-chosen mobile devices at work - even if they are offered another by their employer.
This has created obvious implications and worries for businesses, which often create and store sensitive data and information that must remain private to at least some degree.
"With this consumerisation of IT, there are two main aspects. One is the benefits and pitfalls to allowing users to use their own devices to access work IT resources, and the second is allowing users much more use of social networking tools as part of the way they connect with the outside world," says Tarzey.
Both practices highlighted by Tarzey open the door to security risks around data loss and leakage - some of which can result in significant financial penalties and damage to assets such as the company's brand, even if the information leaked is not used to do further harm or for criminal purposes.
The conservative response, one might think, and the one that many companies have and still continue to adhere to, is to prevent staff from using social media and from introducing their own mobile devices to the office network.
But, according to Tarzey, this move is no longer adequate to stem the ‘invasion' of consumer devices and apps into the workplace. Nor is it appropriate, even.
"We think that businesses really do not have a lot of choice, as the move to consumerisation is inevitable. That is for a number of reasons," he says. "There are big benefits to embracing it, to some extent. And you can say, ‘Bring any old devices', or you can say, ‘It makes sense that you go out and buy one, you can have one, and we will support it', offering them a selection from which to choose their purchase."
He says that people are going to bring in and use their personal devices and apps whether companies like it or not - in fact, they are already doing so. The company has only limited control over that, and so, in lieu of any more effective response, it must ‘join ‘em'.
For the channel, the move could potentially decimate revenues from selling fleets of identical mobile phones, laptops and the like to customers, Tarzey notes. However, it has been a long time now since many resellers pinned their hopes on hardware profits.
Software, services and support
Margins in recent years are increasingly about software, services, and support - and in a way, the consumerisation of IT in the workplace merely continues that trend. The availability of cloud services, as well, will help accelerate and facilitate the transition - making it easier for businesses to support a range of personal mobile devices.
"The consumerisation strategy is an issue for the channel; it can no longer be about deploying 200 BlackBerrys for a company. That hardware margin is gone," Tarzey says. "But there are other opportunities. There is a whole new category emerging called ‘mobile device management'. Merge that with traditional endpoint management, merge it with all the endpoint devices that are being used, and provide a customised services-led approach."
Tarzey says the shift to folding even a select number of personal mobile devices under the wing of the corporate network will be a big challenge - and companies of all sizes will need VARs and other solution providers to help.
Nick Lowe, head of northern Europe at endpoint security vendor Check Point, says the technology is certainly available to help companies manage employees' personal phones and laptops securely - or as securely as they could reasonably hope for, since nothing can be totally secure, of course, and still remain usable.
Lowe says that it provides an additional argument to convince customers to move to cloud, where people are accessing applications and information remotely via their personal laptops or smartphones. They can then log in to their work network remotely, and do work, but nothing is stored on the remote device.
Remote devices can also be partitioned to allow authenticated, limited access to the corporate network, leaving the rest of the hard drive free for unfettered use of strictly personal applications, webmail, and the like. Certain information can be encrypted - other files or documents may not need that level of security.
"And what we are becoming increasingly aware of is that organisations seem to be now embracing the commercial cost-saving goal of providing people with a budget to get their own devices," Lowe says. "They cannot stop people buying an iPhone, for example."
Companies have certainly tried. Employees may be provided with the organisation's preferred, fully vetted, secured, and supported smartphone, only to complain that ‘it's not intuitive enough' and abandon it in a drawer somewhere, continuing to make work calls on their iPhone or other personal device of choice.
Which medium to choose?
Meanwhile, the ever-broadening range of social media online means that not everyone prefers the same type of communication. Some users only ever reply to email; others have ditched email in favour of IM or even Twitter. Others still prefer to communicate via voice call.
So for a business to maximise its reach and effectiveness, it cannot really afford in these increasingly competitive times to force staff to stick to just one or a few communications media - phone, email, or whatever - they ideally should be free to tailor their communication to their needs and to the customers' needs and habits as well, Lowe suggests.
There is some suggestion, too, that consumerisation really does increase employee satisfaction, and it can cut corporate IT overheads even when the extra management and security is factored in, says Lowe.
Integrator and VAR SCC joined the conversation around personal mobile devices in the workplace in June when it released a statement saying that businesses need to take action. According to SCC, the consumerisation of IT is one of the largest challenges facing business - and in that, lies opportunity for the channel.
"We know UK businesses are ready to do more than just talk about this issue because it's on the agenda of every CIO we speak to," wrote James Rigby, managing director at SCC UK.
"The consumerisation of IT is already happening in the workplace and it's happening in every company right now. There are many fundamental questions that organisations have to consider. For example, do they know how many staff-owned smartphones, iPads and laptops are already on their networks and do they know what they're doing on them?"
Rigby says that forward-thinking companies are exploring ways to get around the potential problems, by for example subsidising employee purchases of notebooks for both work and home use. Implications outside the IT department's direct remit, such as for human resources and finance, must also be considered.
"We've been running practical workshops with our customers in order to highlight the range of issues presented by consumerisation that need to be pulled together and considered. Of course this is not just about technology," Rigby says.
Apple iPad no fad gadget>> www.channelweb.co.uk/1898901