The proliferation of personal technology at work puts corporate data at risk, and security practitioners aren't paying attention.
In the corporate world, the boundary between business and personal domains was always clear. You worked at the office with a company PC or laptop, and maybe you had a computer at home for personal business. But the increasing consumerization of technology has blurred the line between the office and home, creating risks that infosecurity teams are ignoring.
High-capacity plug-and-play storage is now a consumer item given away for free at trade shows. Who doesn't have a memory stick, a PDA or a mobile phone that can sync with Microsoft Outlook? Home PC access into corporate systems is routine, and several firms have even started experiments with employee-owned laptops.
I'm writing this column on multiple PCs, carrying the file back and forth on a USB memory device. Is there any doubt that accountants and lawyers, tired of lugging their laptops back and forth to work, sometimes do that, too? Unfortunately, they often deal with highly sensitive data. The consumerization of IT with the growing propensity to connect personal devices to the enterprise facilitates deliberate theft and inadvertent leakage. The more data people carry around, the more data will be lost. I've got to imagine that quite a few teenagers have walked off with a memory stick from dad's desk, and more than a few have "borrowed" his company laptop.
Digital media is exponentially easier to copy and carry than paper, and any forensic examiner will tell you that devices with USB capability are often the recipients of huge amounts of enterprise data. We find ourselves at the dawn of a significant period of social change due to the ubiquitous new technology, and it impacts our ability to protect organizational information. The occasional drama of yesterday's smash-and-grab hack attacks contrasts with today's quiet, steady seepage of corporate data through the USB ports of trusted insiders.
Tax accountants have always filled their briefcases, paper or digital, with sensitive data to work on at home. Some has always been lost, but it only amounted to a few dozen sheets of paper then. Today, tens of millions of digital records fit into a $10 key fob.
An ever greater amount of organizational data is stored on consumer gear, yet so far IT has avoided thinking too much about the risks this entails. Most security leaks stemming from this problematic trend aren't even spotted, so there is little motivation to deal with it. Without a squeaky wheel, this kind of risk doesn't get the attention it deserves.
Unfortunately, there is precious little that policy controls can do about the problem. It is going to take new technology to plug the leaks that are being created by the convergence of the consumer and workplace IT environments. The top concern here is purely one of building a sense of urgency within the security and IT teams, and especially among the business managers. Without that sense of urgency, they will have no interest in supporting the purchase and use of the sorts of technology needed to deal with this issue.
Both IT and security managers ought be looking five years down the road and deciding how they are going to safely accommodate what is becoming the most significant dislocation to the business environment since the Internet itself.