It only seems like yesterday that organisations were being warned to watch out for people using thumb drives. The capability for someone to walk in to an organisation with a storage device in their pocket, download documents or other data via their PC and walk off with it was just too easy – and a big threat to information security.
Suddenly, there was a wave of organisations super-gluing the USB ports on computers and of vendors providing software that blocked the use of external storage systems. Now there are new versions of the same problem have come into play. One is the use of cloud storage systems like Dropbox, Apple iCloud and Microsoft SkyDrive. These enable an individual to access data from any of their devices at any time – provided that there is an internet connection in place.
Depending on the system used, the tools are pretty easy to use – from being able to select a file and upload it drag and drop or even direct integration with Office software. The capability for users to move corporate information from the direct control of the organisation into a storage space not even under the individual’s own full control abounds.
Perception vs reality
The standard response has been the knee-jerk reaction of attempting out-right prohibition. Employees are told not to use such systems – but this is often a policy with no actual policing. Furthermore, senior executives often seem to think that such prohibitions do not apply to them – and they tend to be the very employees who are dealing with the most sensitive information. Therefore, many organisations fall into a “perception of security” – there is a policy in place that in theory creates a secure environment, but in practice, employees are using the prohibited tools.
Organisations need to change mind set from one of attempting to stop usage to positively providing a better approach. It is important that organisations accept that with the increased mobility of the workforce and the higher usage of external contractors, consultants and others in a collaborative supply chain that the secure sharing of information is required to provide access to specific information to specific people via external systems.
On top of this, today’s world is a multi-access device one. A system that only supports Windows is no longer suitable for the modern workforce. Ensure that any system under consideration enables users to view – and wherever possible – edit or comment on documents that are available to them, on any common device/operating system combination.
Any solution being considered has to be at least as easy to use as the consumer-focused versions. If a system is seen as getting in the way of an employee’s work, then they will just work around it and carry on using the systems they have chosen for themselves. The key is to make the chosen system as easy to use as the common consumer ones – but to have more capabilities such that the individual can easily grasp the advantages in using it.
To make the system more attractive to the user, identify the functions that are required to meet their needs – not just the capability to store documents in the cloud, but areas such as being able to apply granular security to such storage, so that groups can share individual documents, that an external individual (e.g. from a supplier or customer) can be given access to a document for a defined period of time.
Document sharing systems such as Box provide these capabilities, and are more targeted towards business use than the free (or low-cost) consumer tools. This not only suits the individual, but also begins to move the overall control back to the organisation.
In the majority of cases, file sharing and cloud storage will not be enough. Look to capabilities over and beyond sharing: advanced tools such as KnowledgeTree provide document management capabilities along with workflows, document versioning, discussion capabilities and audit trails of actions that have been taken on documents; these are aimed fully at the business user. Alfresco, an open source document management system, also offers advanced capabilities, and has recently launched a cloud-hosted version.
Users need to be pointed in the right direction on the job to ensure that they don’t do something that is against the corporate direction – or at least, if they do, they do it with the full knowledge that it is wrong, and that it has been audited.
The use of data leak prevention (DLP) systems from vendors such as of CA, McAfee, Symantec, Websense, EMC/RSA and Trend Micro enable data traffic crossing an organisation’s boundaries to be checked and actions to be carried out if the data contains certain types of information or if non-preferred external sites are being used.
Therefore, traffic that is targeted to go to the likes of Dropbox, or documents that are deemed to have to remain under the direct control of the organisation, can be blocked, with the individual being reminded that this is not an acceptable storage environment for corporate intellectual property, and helping them to redirect it to the preferred system.
And don’t forget that many individuals are using systems such as Dropbox as a personal information backup system. Therefore, for the individual’s – but more importantly the organisation’s – sake, make sure that any system chosen will be backed up – single storage risks the loss of the organisation’s intellectual property. Ensure that the cloud provider has an adequate back-up strategy and that the organisation will be able to gain access to this if required.
Finally, do not forget your “incumbent” software provider. Both Microsoft and IBM have systems that may fit the bill. Microsoft has improved its hosted versions of SharePoint along with Lync and Office 365 to provide organisations with a business-class cloud-based environment that may work for many. IBM has launched SmartCloud for Social Business which is an integrated, full function system for organisations.
It is important that organisations respond to the needs of not just the direct employee, but also of the other people involved in the extended value chain. Security has to be granular, so that individuals can be given the correct level of access for short periods of time; that employees can be locked out from their information when they leave the company.
Consumer-focused, or even “prosumer”-focused systems are not often fit for corporate use by businesses of any size. Moving to a system with greater functionality alongside greater control and security is far better for all concerned – but the chosen system has to be easy to use so that individuals choose to use it – helped by being nudged in the right direction through effective security policies and tools such as the DLP to police the policies.