Personal emailing. Social networking. Blogging. Instant messaging. Video chatting. According to a recent survey by SearchCompliance.com, 27% or more of respondents say these activities are permitted in their organizations.
On smartphones and mobile devices, IT cannot take sole responsibility for choosing, testing and deploying approved programs.
president of Core Competence Inc.
But when it comes to securing themselves against the risks associated with this growing trend of IT consumerization, the response in some organizations leaves something to be desired.
Sixty-three percent of respondents to the survey, taken by 654 participants during SearchCompliance.com's July 16 virtual conference on "Mobile Security Imperatives," stated their organization is "mostly secure," and 12% said "totally secure," when it comes to infrastructure as it pertains to devices, applications and information systems. However, another 25% noted their organization is “mostly unprotected” or "not secure at all."
"Enterprise and third-party software developers are now scrambling to take advantage of mobile devices," said Lisa Phifer, president at Chester Springs, Penn.-based consultancy Core Competence Inc. "All too often, they are doing that without taking the necessary steps to ensure safety and privacy."
Phifer and other presenters at the virtual conference pointed out that mobile consumer devices such as smartphones and tablets can benefit the business, lending them a huge productivity boost. But with these new benefits, come new risks many companies choose to ignore, presenters said.
Perhaps the different approaches to mobile device security are due to organizations' night-and-day attitudes around IT consumerization. When asked what their first reaction was when hearing the term consumerization of IT, 28% said "control and lock down," while 62% said "enable and support."
The best approach is a combination of the two, said John Harris, chief architect and global vice president of IT Strategy at GlaxoSmithKline, a U.K.-based pharmaceutical and consumer health care company.
"We have to think differently," Harris said. "We have to think about the user and how can we help them be effective to do what they need to do in a way that is secure enough to meet the needs of our organization without causing major exposure."
The possible loss of customer enterprise data was rated as the top concern around IT consumerization (cited by 32% of respondents), followed by potential network security breaches (24%) and difficulty meeting compliance requirements (15%).
"A bring-your-own-device (BYOD) policy is a must," said independent technology and privacy lawyer Johan Vandendriessche during his presentation. "You must raise awareness: Many infringements, many cases of liability arise simply because people are not aware of what they are doing. It will also help you cover your legal and liability risk."
IT consumerization and business processes
Survey respondents were also asked how many of their largest IT projects in 2012 will be justified as enabling, securing or managing IT consumerization. Fifty-two percent said "a few" of their large projects would be dedicated to these purposes, 33% said "none," and only 15% said "many."
There was also a wide range of answers when respondents were asked how much IT consumerization was affecting the way they provide IT services: 49% said it had affected IT processes "somewhat," and 35% said "very much." Ten percent said nothing had changed due to IT consumerization, and 5% said changes were extreme and altered everything about their IT department.
More on IT consumerization
Teachable moments, from IT consumerization to the cloud
The evolution of data protection strategy in the cloud and BYOD era
"Gone are the days when IT could take away administrative access and software installation rights," Phifer said. "On smartphones and mobile devices, IT cannot take sole responsibility for choosing, testing and deploying approved programs."
Instead, in the mobile world, end users and business users are the ones driving app selection -- dramatically changing IT's role.
"For smartphones and tablets, IT's job has really become to recommend safe mobile applications, to review them for vulnerabilities, to audit devices for unsafe or unknown applications, and to take remedial action to insulate business networks and data from adverse impacts," Phifer said.
When asked who is in charge of consumerization strategies at their organization, the CIO was cited by 65% of respondents, followed closely by the IT director (58%). The CEO and IT manager received more than 40% of the vote as well.
However, several respondents used the write-in option to cite positions ranging from the Chief Information Security Officer, to human resources, to the finance department as having responsibility for the IT consumerization strategy.
This organization-wide approach to IT consumerization is definitely something to get used to because of the huge change the personal use of mobile devices is having on the business environment, Harris said.
"Users are going to choose more and more how and when they work," Harris said. "Will we still have a corporate desktop for a while? Yeah, we probably will. But will we be able to assume that the world revolves around it and we have control and that's the only way of doing business? No. It's already gone."