Adaptation as protection

I just finished reading an excellent article by Ted DeZabala, the national leader of Deloitte’s Security & Privacy Services, on Forbes.com “Are You Focused On The Wrong Security Risks?”, which poses several good questions about what organizations are doing to protect their corporate identity, employees and data. Ted raises some excellent points around the necessary procedures for how to protect your company. But, I think there is a bigger picture worth addressing.

For companies with knowledge workers, the rise of mobile devices, new applications, social media, and ubiquitous broadband is the foundation for the next wave of business, management, and employee change. Companies that adapt quickly and actively change the relationship between IT and end users, will be better able to attract talent, execute new business models, and evolve management capabilities to improve competitiveness. For the first time in a generation – employee technology is an important business issue.

It’s in this context that organizations are rapidly driving change. IT is loosening its control of employee technology and letting a new generation of smartphones, tablets, and employee-owned devices into the enterprise. As business drives these changes, IT end user policies and security procedures need to be broadly reevaluated.

In particular:

  • As employee information becomes public on personal social networks, companies need new security models to fight pretexting, targeted phishing attacks, and other security threats. CIOs need to be more sure than ever of the identity of every person or device accessing company resources.  It’s important to note that this threat can’t be addressed by limiting work use of social media: even if these tools are banned, employees who put work information in their personal social media profiles or feeds create these same risks.
  • Companies need to protect data on personally owned devices, meaning they will need to establish tools to containerize and secure corporate data, enforce password rules, and enable remote wipe. These procedures need to apply to corporate and personal devices that access the network, data and applications.
  • The mobile application gold rush has created many new security vulnerabilities. Many social media applications send clear text user credentials that can quickly be stolen on public networks with a new generation of easy-to-use sniffing tools. When a criminal knows someone’s credentials, they likely have access to their work email address and a preferred password. All of sudden, poorly-designed social media applications have become an enormous enterprise risk. Few organizations have developed policies and procedures to find and defend against vulnerabilities in third party mobile applications.
  • The threat of password theft is made worse by the fact that so many applications can now be accessed directly over the Internet. For example, most software-as-a-service applications – including critical applications that store email or customer data – can be accessed by anyone who knows the URL. With an employee name and a work email address they can begin guessing passwords. If they collect the passwords through phishing or pretexting, most organizations may never catch the data breach. Procedures that “trust” a client by requiring extended credentials such as birthdate or mother’s maiden name can also be overcome using data found on social networks.

The simple fact we may be forgetting is this: companies can no longer control security risks with internal policies that limit the use of devices, applications, or data. As new risks continue to evolve, most organizations will need to architect security around an environment they don’t fully control. Instead of fighting to control the ways in which we embrace technology, the only remaining choice for most CIOs is to adapt to it.

About the Author: Paul D'Arcy