Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Consumer Technology in the Workplace: Managing
Security Risks and Maximizing Employee Productivity

Point of View
As emplo...
An employee using a device outside of the office can               specifies which external devices (such as USB drives, M...
communicating with any other computer or application at the           • The use of passwords, including how often a passwo...
personal security. One of the fastest-selling credentials on                               performing for them; and how we...
Upcoming SlideShare
Loading in …5

Consumer Technology in the Workplace: Managing Security Risks and Maximizing Employee Productivity


Published on

Unisys PoV on how to address new challenges and risks for enterprise IT and security posed by the consumerization trend. The paper, which you can download below, is titled, “Consumer Technology in the Workplace: Managing Security Risks and Maximizing Employee Productivity.”

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Consumer Technology in the Workplace: Managing Security Risks and Maximizing Employee Productivity

  1. 1. Consumer Technology in the Workplace: Managing Security Risks and Maximizing Employee Productivity Point of View As employees become more mobile and use more consumer To protect the organization from these new threats, an IT technologies in the workplace, corporate systems and department needs to create an extended security model that information are increasingly at risk from security breaches. better secures the most exposed and weakest layers in the All organizations know that they should strengthen IT security, environment—the endpoints and the network infrastructure— but smart IT departments approach the task in a way that and that includes employee education and policies that direct improves, rather than stifles, employee productivity. user behavior. However, this needs to be done in a way that still gives employees access to tools and capabilities they Traditional security models in which corporate information need to do their jobs more efficiently and effectively. is protected by secure network perimeters only around an organization’s office environment are becoming obsolete. Enhancing Endpoint Security This is due to more mobile employees accessing corporate For today’s employees, the nine-to-five workday is a thing systems from outside the office and a proliferation in of the past and the workplace can be just about anywhere. the number of device types and online tools, including Depending on where they are and what they are doing, smartphones, netbooks, Web 2.0 applications and social employees may choose to work on different devices, such as networking sites, that increase the number of corporate a laptop in the office, a smartphone while checking emails network entry points. These trends will only gain momentum on the weekend, and a netbook while traveling. While out of as younger-generation ‘digital natives’ enter the workforce the office they may be connecting to the network via a phone and more organizations allow employees and contractors to connection or even an unsecured wireless link, which renders bring personally-owned devices into the workplace. the traditional security perimeter around a single office The productivity benefits gained from the increased employee environment obsolete. To support the anytime, anywhere mobility, flexibility and job satisfaction that result from the workplace, organizations need a new security perimeter that use of these new IT tools are considerable. However, as IT expands beyond four walls and flexes to cover all possible departments come under pressure to effectively manage device types and connections an employee chooses to use and protect employee behaviors enabled by new tools, threats at any given time. to the corporate network are becoming more sophisticated, When employees connect endpoints (such as PCs, netbooks, targeted and insidious. Viruses, malware, spyware and PDAs or smartphones) to the network at the office, they are phishing attacks are increasingly tailored to exploit specific protected by an enterprise-class security infrastructure that security holes created by new device types and online tools. includes firewalls, IPS, proxy servers and more. However, Employee downtime and the time and resources required to recover from such attacks have a real impact on employee when employees take devices out of the office, they become and business productivity. an exploitable leak in the perimeter.
  2. 2. An employee using a device outside of the office can specifies which external devices (such as USB drives, MP3 unintentionally let his or her guard down, catch a silent virus, players, Bluetooth devices and DVDs) can be used on a PC and then carry the virus inside the organizational perimeter and what data can and cannot be copied onto these devices, upon return to the office. An infected endpoint can enable even when the user is not connected to the corporate network. a person with malicious intent to gain ‘authorized’ access Windows 7 also includes technology that prevents applications to a device or corporate network by collecting and re-using from being loaded onto a device unless they are on a defined an authorized account and password, or take advantage list, and a function that acts as a ‘kill switch’ to remotely of the user’s access when he or she is logged in. Viruses disable a device so that the data on it cannot be accessed. and malware are not the only threats. An opportunity for These built-in solutions can be powerful tools for securing unauthorised access to the corporate network or sensitive devices, but it is up to the IT department to enable them as data can happen as simply as an unsecured laptop or USB an integrated part of a security solution. device being misplaced or stolen. This is why a critical element Enhanced endpoint security provides a strong layer of of an extended security model is enhanced endpoint security protection against threats and gives organizations more that includes stronger technology solutions to protect against confidence in allowing employees to be more mobile and infection and unauthorized access. use a wider range of devices and applications that enhance Most organizations have endpoint security in place through productivity. However, some threats will still permeate the the use of host-based firewalls, anti-virus and anti-malware endpoint layer so an extended security model must also software, and identity management solutions. However, IT include greater protection for another vulnerable layer: the departments are not going to be able prevent every breach, network infrastructure. so the challenge is to find the infection faster and eliminate it at the endpoint before damage occurs. Despite long-term Controlling Network Access use, virus and malware controls on endpoints are not entirely The necessary reality these days is that an endpoint should effective. This is because most existing controls are based be treated as a threat unless proven otherwise. Network on blacklists that block access to known threats but are less Access Control (NAC) requires devices to prove they are effective against unknown threats, which can sit hidden safe to connect to the network (pre-admission), as well as within a device or the network for some time until activated. controls where the endpoints are authorized to go and what Whitelist or behavioral-based threat protection solutions they are authorized to do. When an endpoint attempts to deployed to endpoints help identify, quarantine and eliminate access a network, an established security policy is invoked unknown risks more quickly, so they should be part of an to ensure the endpoint meets all the required criteria in enhanced security model. the policy. For instance, the policy might require that the To further protect against access threats, other important endpoint has an appropriate firewall and anti-virus protection aspects of an enhanced security model are robust access installed before the endpoint will be allowed to communicate management and identity authentication solutions on on the network. If the endpoint does not meet the entrance devices through the use of stronger passwords, biometric criteria, NAC solutions can quarantine and remediate non- scanners, smartcards, security fobs and similar. To provide compliant, infected or miss-configured systems. an extra layer of protection for highly-sensitive data being NAC technology has evolved from a focus on front-end downloaded to and stored on devices, organizations should network admission for endpoints to a focus on application- also consider using encryption technology. level controls. NAC solutions allow network administrators Not only are there more sophisticated solutions for endpoint to define policies for endpoints without the need to have full security being brought to market every day by security vendors, (or any) control of those endpoints. NAC solutions provide these solutions are increasingly being installed onto devices a layer of protection against improperly used, infected or by OEMs and included in the latest versions of operating rogue endpoints attempting to connect to internal network systems. For instance, some laptop models ship with built-in segments. This capability of NAC technology to enforce fingerprint scanners and facial recognition technology. policies at network access time regardless of the endpoint Microsoft® Windows® 7 includes several enhanced security type provides an organization with significant threat protection technologies, including device control technology, which by preventing infected or compromised endpoints from 2
  3. 3. communicating with any other computer or application at the • The use of passwords, including how often a password network level, thus preventing the compromise from spreading. should be changed and whether the same password Therefore, NAC is a critical element of an enhanced security should be used to access personal resources, such as model to address threats from increasing employee mobility internet banking, and the corporate network; and the use of consumer technology in the workplace. • Data ownership and surrender/access, distinguishing between applications and data of the organization and Should a threat enter the network infrastructure past the the employee; NAC technology, it is necessary to quarantine and disable it quickly. The creators of viruses and malware are becoming • Appropriate use of technology in the workplace, including better at disguising them so they can slip through controls HR issues such as workplace bullying, harassment, and remain undetected while spreading through IT systems. confidentiality breaches, etc.; This is why it is important for IT departments to improve their • Appropriate behavior, confidentiality and disclosure on security analytics engines, which are intelligent tools that social networking sites; and look beyond known threats to identify behaviors and traffic • Consequences for breaching policies or program guidelines. patterns on the network—such as malware that tries to When the IT department is supplying the devices and communicate with systems or make new connections—and applications used by employees, it has more control quarantine the threat. For this reason it is also important over security. However, it is becoming more common for for organizations to increase protection for data at rest in organizations to allow employees or contractors to connect storage devices as well as data in motion on the network. their personally-owned devices to corporate networks. For highly-sensitive data, this may mean implementing Employee-owned equipment is a potential carrier of infections encryption technology as well as improving NAC. across the security perimeter. The security software and settings used on many personally-owned devices Mitigating Risk Through Policies are generally not as robust or updated as often as their As always, technology is only part of the solution when corporate equivalents. The risk exposure can be exacerbated strengthening security and minimizing risk. The strongest if employees and contractors log onto the corporate network security systems can be rendered useless by an employee using unsecured home connections or public wireless who mislays a piece of paper listing his or her passwords. The networks. Given this situation, standards need to be set challenge for senior managers is to drive security into the to ensure personally-owned devices adhere to corporate culture of the organization by educating employees about their security policies. At a minimum, employees and contractors behavior and potential threats and rigorously enforcing need to keep their anti-virus definitions up to date. behavior-related policies. The most comprehensive and effective means of doing this is to involve the IT, HR, legal, risk Organizations must also apply similarly robust policies to the and senior management teams in setting and managing policy. use of social media and Web 2.0 applications. By basing these on logic and reason rather than applying blanket bans, The employee education program and policies should cover, organizations can educate employees to use these tools at a minimum: safely and responsibly—and productively. Different policies • Where and when devices can be used; for different types of employees may be required based on • How to secure devices used to access the their roles and need to access these sites and applications. corporate network, including updating anti-virus For instance, the access policies may be different for a and anti-malware definitions; marketing employee who is responsible for posting videos to • Rules for copying sensitive data onto external media such the corporation’s YouTube site and tracking brand mentions as USB devices, DVDs and CDs; online, versus a call center employee whose role does not • The use of passwords, including how often a password involve social media and whose KPIs are based on the number should be changed and whether the same password should be used to access personal resources, such as of inquiries handled per hour. internet banking, and the corporate network; However, when employees access social media sites for any • Data ownership and surrender/access, distinguishing reason using a device that connects to the corporate network, between applications and data of the organization and they need to understand how their actions on those sites the employee; impact the organization’s security and reputation and their 3
  4. 4. personal security. One of the fastest-selling credentials on performing for them; and how well the security model is the black market today is Facebook logins. Cyber-criminals protecting the environment. Many IT departments are use these to distribute embedded viruses through ‘friends’ familiar with infrastructure monitoring tools that provide lists because many people will automatically open any link these functions. However, the challenge with most monitoring from a friend without any thought to the security behind it. tools is that they track how a particular element is performing, Implied trust through social networking is an exploitable but they do not always track the end-to-end user experience. weakness. By warning employees about phishing scams and When determining if the IT environment is supporting other malicious activity on websites and advising them of employee productivity, the monitoring needs to be from the steps to avoid falling victim, and educating them about the user perspective. How well are the applications performing risks around downloading files that potentially have a virus from the user perspective? In an organization with more mobile or malware embedded, an organization reduces the risk to employees, how can the IT department monitor end-to-end its staff and itself. These social media policies should also performance no matter where the user is located? How can clearly articulate what corporate information can and cannot the IT department relate employee productivity impacts back be posted, who is authorized to speak on behalf of the to a specific security incident, like a malware infection? organization, and the consequences of a breach. The second part requires additional effort to truly measure the levels of employee productivity, the bottom-line value, Balancing Security With Productivity and the benefits versus the cost. The most immediate place For every organization, productivity may mean something to start is by surveying workers and managers regarding their slightly different, such as employees’ ability give higher quality needs, if and how they use the IT tools they are given, and service to customers or citizens, meet critical deadlines, the benefits they see from greater mobility and the use of drive new innovations, or bring products or services to market consumer IT tools. Common methodologies, such as Six Sigma faster. However, for every organization, productivity means Lean, can also help organizations understand how employee employees using their time most efficiently and effectively, productivity impacts organizational productivity and the which requires giving them the right tools, access and effectiveness of key processes and business outcomes information they need, when and where they need them. By within the organization. From evaluating these two parts, the tightening security controls too much and denying employees productivity benefits can be weighed against the increased the right tools, access and data, productivity is stifled. security costs to enable employees to be more mobile and use The key question presented to IT departments today is: how a greater selection of consumer technologies in the workplace. can they measure the productivity benefits gained from mobility With the many different types of IT devices available, the and consumer technology against the risks and costs of growing popularity of social networking sites and Web 2.0 an extended security model? The answer lies in two parts: applications, and younger-generation employees entering firstly, actively and comprehensively monitoring the IT the workforce, it is inevitable that users will demand more environment and secondly, better understanding users’ role flexibility and access to consumer technology, regardless of requirements so it can be determined if the IT environment the IT department’s plans. By better understanding user is truly supporting them to do their jobs effectively. needs and what productivity means for employees and the The first part can be assisted by using infrastructure and organization, the IT department can create an extended end user computing monitoring tools to determine how security model that not only better protects the organization, workers are using their time and how productive they are; but also gives employees access to better tools to do their how effectively the network, devices and applications are jobs more efficiently and effectively. For more information visit © 2010 Unisys Corporation. All rights reserved. Specifications are subject to change without notice. Unisys and the Unisys logo are registered trademarks of Unisys Corporation. All other brands and products referenced herein are acknowledged to be trademarks or registered trademarks of their respective holders. Printed in the United States of America 07/10 10-0199