According to a recent survey, 24 per cent of British employees would copy electronic data and files to take with them when they leave a company (source: SailPoint). This figure should raise concerns and yet it comes as no surprise.
In fact, a similar survey conducted by Imperva covering 1,000 individuals in London demonstrated how severe this problem really is. That showed 79% of respondents mentioning that either their organisation does not have data removal policies (upon employee departure), or they were unaware of such policy. Furthermore, the vast majority (85%) store corporate data in home computers or personal mobile devices.
This is an immediate consequence of the trend called “consumerisation of IT”. What we are witnessing is a phenomenon where the employees themselves are the ones who are introducing their preferred technologies to the enterprise. Today’s employees are tech-savvy and want their employers to accommodate all these new technologies and devices.
Workers are using social networks as an online collaboration tool. Others are using their personal devices to access the company’s web mail. In fact, according to a Unisys survey in 2010, 95% of workers use self-purchased technology for work. Employers don’t even seem to be aware of how their employees are integrating their own devices into their jobs - in that same survey, workers reported using consumer devices at twice the rate that their employers had suggested.
SailPoint’s survey indicates that 29% of British employees use mobile devices to access the company’s private Intranet or portals. The Unisys survey showed even higher adoption rates among US employees. In recent years we have seen a growing variety of mobile applications that are a gateway to enterprise systems, including CRM, ERP, and document management. On top of this, the devices are consistently growing in terms of storage capacity and web technology adoption.
Consumerisation of IT has left the door open to insider threats. While the common belief is that the insider is usually a corporate spy or a revenge-seeking employee, the reality is more mundane. As it turns out, it is the “average Joe” that represents the most probable threat. Employees enjoy legitimate access to sensitive corporate data while on the job. They use their access privileges to create copies legitimately of the information as they process it for their daily tasks. Upon leaving the organisation, many individuals do not remove these copies of sensitive information and, in some cases, even develop a sense of personal ownership towards it.
This consumerisation has left businesses with diminished control over access to internal perimeter and user behavior at the end point - for example, password policy and storage encryption can not be enforced employee-owned devices. As a consequence, organisations must put more focus on protecting data sources.To do this, they must:
•Enforce strict access controls over critical data based on a business need-to-know level. This should be a process of constantly evaluating user access privileges.
•Monitor access to sensitive corporate data and maintain a detailed audit trail.
•Detect abusive access patterns to sensitive corporate data.