Bring your own cloud
Few companies realise one in five of their employees store critical business documents in their personal cloud.
It appears that climate change is finally starting to make itself felt, certainly across Europe and particularly the UK, which is experiencing its wettest winter on record, with widespread flooding causing chaos.
Emergency agencies across the continent have been mobilised and are working to rescue affected communities, hold back floodwater and repair damaged infrastructure. The challenge for governments now is to try and shore up the defences against inevitable future flooding.
If only they had prepared the defences adequately in advance, there might not be such widespread devastation now.
This situation is a perfect analogy for what the business world is experiencing with regard to the threats and occasional devastation created by BYOD, and increasingly, bring your own cloud. The corporate world has seen a flood of mobile devices, and increasingly personal cloud accounts, entering its midst. For the most part, it has been struggling to keep control. There has become an urgency for adopting the right security strategy in order to stop the steady stream becoming an incontrollable flood, so to speak.
Both climate change and BYOD are underpinned by innocence, ignorance and selfishness having a detrimental effect on the corporate world. In the case of younger employees, they have become accustomed to using their own devices and cloud applications, and have an expectation to continue doing so in the work environment.
Such is the pervasive and ubiquitous nature of cloud applications - now loaded as default on all modern smartphones, tablets and computers in the form of applications such as Dropbox and iCloud - that many younger people genuinely do not realise they are using the cloud, and if they do, are unaware or unconcerned about the potential dangers. And as a recent Fortinet global survey illustrated, far too many are resistant to any suggestion that they should alter their behaviour for the safety of the organisation.
The Fortinet survey of 3 200 21-32-year-old employees across 20 countries should serve as a further dramatic warning for businesses to take this issue seriously and to put in place adequate and future-proof defence strategies.
The vast majority of employees surveyed (89%) have personal accounts for at least one cloud storage service. Seventy percent have used personal cloud storage for work purposes, with 12% admitting to storing work passwords, 16% financial information, 22% critical documents such as contracts and business plans, and 33% storing customer data. Alarmingly, 36% said they would contravene any policy banning personal cloud account use at work, even though increasing numbers of users are or have experienced cyber attacks themselves.
Mixing business with pleasure
The risk to the enterprise is posed by the very blurring of the boundaries between personal and business use of online applications. Users are more careless and vulnerable in their personal computing habits than they are in a work context. For example, recreational applications, such as those spread via social media, are fertile grounds for malware. Once the cyber criminal has access to the users' devices, it will not be the Facebook or Twitter password that interests him, but the valuable assets such as financial information and passwords, and the increasingly valuable Intellectual Property and business data that will be stored either on users' devices or their personal cloud applications.
These are the assets the cyber criminal can get good money for. In a world where information and data are highly valuable and critical to the business, no enterprise can afford to let their own data be used against them or for the benefit of competitors.
Both climate change and BYOD are underpinned by innocence, ignorance and selfishness.
Cyber criminals launching persistent attacks are aided and abetted by unwitting personal users who the cyber criminal naturally assumes will offer an easy access point for valuable business data via their personal devices. It is easier to get access to corporate data via the user in their personal realm than it is to attempt to directly break in to the enterprise network. And this situation is made even more sinister because the enterprise will often not be aware that the employee is transferring business data to his/her own device or personal cloud. How many businesses realise that one in five of their employees store critical business documents in their personal cloud? It is undoubtedly the case that many serious security breaches and thefts of company data are covertly conducted in this way and are never noticed.
With the impending widespread introduction of new connected technologies such as wearable computing, smart watches and connected cars, the situation is only set to become more complicated. Businesses need to heed this new warning and develop their strategies accordingly, implementing security intelligence at a network level to enable control of user activity based on device, applications and location.
As the Fortinet survey shows, businesses are largely ignorant of exactly where their critical business data is being stored by employees, and thus employees are increasingly the weak link in the security stance. IT managers need to develop strong policies and strategies to take account of the personal cloud. Alternatively, invest in some new buckets and mops in readiness for the inevitable cloudburst and flooding.
Perry Hutton, regional director of Fortinet for Africa, comes from an accounting background and has spent the last 22 years in IT, the last 10 of which have been in IT security specifically. Hutton was responsible for introducing Fortinet to the African market back in 2003, when he was part of a distribution business. He subsequently joined Fortinet in 2007, and has since grown the Fortinet business in Africa to a continent-wide comapny, together with his team of 10. Hutton is hugely passionate about Fortinet and travels extensively on the continent growing and expanding the business.