SailPoint has recently released their survey results regarding employee behavior with respect to corporate data. An interesting figure indicates that 24% of the surveyed Brits mentioned they would copy electronic data and files to take with them when they leave a company.
This figure should certainly raise concern and comes as no surprise. In fact, a similar survey conducted by Imperva covering 1000 individuals in London, demonstrated how severe this problem really is. That survey showed that 79% of the respondents mentioned that either their organization does not have data removal policies (upon employee departure), or they were unaware of such policy. Furthermore, the vast majority (85%) store corporate data in home computers or personal mobile devices.
This is an immediate consequence of the trend called “Consumerisation of IT”. What we are witnessing is a phenomenon where the employees themselves are the ones who are introducing their preferred technologies to the enterprise. Today’s employees are tech-savvy and they want their employers to accommodate all these new technologies and devices. Workers are using social networks as an online collaboration tool. Others are using their personal devices to access the company’s web mail. In fact, according to a Unisys survey- referring to 2010 data- 95% of workers use self-purchased technology for work. More so, employers don’t even seem to be aware of how their employees are integrating their own devices into their jobs: in that same Unisys survey, workers reported using consumer devices at twice the rate that their employers had reported.
The proliferation of mobile devices has further lent itself towards the “Consumerisation of IT”. The SailPoint’s survey indicates that 29% of British employees use mobile devices to access the company’s private Intranet or portals. The Unisys’ “Consumerisation of IT” survey from 2010 shows even higher adoption rates among US employees. In recent years we have seen a growing variety of mobile applications that are a gateway to enterprise systems, including CRM, ERP, and document management. On top of this, the devices are consistently growing in terms of storage capacity and web technology adoption. Apple’s iPhone comes with up to 32GB of internal storage, while its bigger sibling iPad can accommodate up to 64GB of memory. (For context, one million records holding names, addresses, and social security numbers will occupy approximately 0.5GB.).
The “Consumerisation of IT” has left the door open to Insider Threats. While the common belief is that the insider threat is usually a corporate spy or a revenge-seeking employee, the reality is more mundane. As it turns out, it is the average Joe that represents the most probable threat. Employees enjoy legitimate access to sensitive corporate data while on the job. They use their access privileges to rightfully create copies of the information as they process it for their daily tasks. Upon leaving the organization, many individuals do not care to remove copies of sensitive information, and in some cases even develop a sense of personal ownership towards it.
As we can see, the “Consumerisation of IT” has left businesses with diminished control over access to internal perimeter and user behavior at the end point (e.g. password policy, storage encryption, use of AV software cannot be enforced employee owned devices). As a consequence, organization must put more focus on protecting data sources against abusive activity by authorized users and devices. What should organizations do to prevent this data getting out of control?
- Enforce strict access controls over critical data. This access control should be based on a business need-to-know level. This cannot be achieved by a singular project but rather imposes a process of constantly evaluating user access privileges
- Monitor access to sensitive corporate data and maintain a detailed audit trail.
- Detect abusive access patterns to sensitive corporate data
ABOUT AMICHAI SHULMAN
Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. The press draws on Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques, and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.