The rise of Bring Your Own Device (BYOD) in the workplace has been heavily documented in recent years with commentators, both for and against, weighing in on the debate.
However, less attention has been given to a newer trend known as “Bring Your Own Collaboration (BYOC)” or “Shadow IT”, whereby employees use consumer-grade file-sharing and collaboration software, for example iCloud, in the workplace. Similarly to BYOD, BYOC is now under scrutiny due to the security implications of confidential company data leaving systems and networks controlled by the company’s IT dept, leaving it open to loss or theft.
In May 2014, Dropbox was under fire when it was revealed that there was an exploit in the service that meant privately shared files could be accessed. This vulnerability could be exploited when users shared files via share links, which were then subsequently inserted into the search box of their browsers. This showed a direct flaw in the service and the security implications of using it to store confidential data. Enterprise services which can enforce two-factor authentication resolve this issue by requiring a code, shared separately from the link, for example by SMS.
As the workplace grows more mobile and remote work becomes commonplace, the BYOC trend is becoming more prevalent. This presents a new set of data security problems for IT managers as the consumer file sharing and collaboration services being used lack several security features of their enterprise counterparts. They do not have corporate Service Level Agreements (SLAs), corporate terms of use and their positions regarding data privacy are seldom very clearly stated.
Once data has been transferred to a consumer file storage or collaboration service, it has left the boundaries of the corporate network, can no longer be managed centrally and should an employee leave an organisation, their access to this data or ability to take it with them to a new employer cannot be revoked.
Unfortunately, Dropbox isn’t the only consumer file sharing software to be investigated. Apple was infamously under investigation back in August when private images of over 100 female celebrities were leaked online. It was originally thought that hackers had found an exploit in its iCloud service that allowed them to brute force their way into the celebrities’ iCloud accounts. However, it soon came to light that the hackers had implemented a targeted phishing scam. Nevertheless, the incident highlights that these services do have flaws and it serves as a cautionary tale that users need to think twice when it comes to storing confidential data in consumer cloud services.
However, there are a number of steps that businesses can implement to ensure that their employees remain compliant whilst being able to benefit from remote and collaborative software.
Understand why the technology is used
The first step to ensuring secure remote and collaborative working is to analyse why certain technologies are used within the company in the first place. Many workers use consumer collaboration services as a means of increasing productivity. Asking why staff are using these technologies and what particular functionality they find most useful, will allow organisations to determine what is lacking from their current IT infrastructure and how they can improve it.
Educate staff of the risks
Once the company has an understanding of why certain technologies are used, businesses can begin to work towards educating their staff on the security risks of using them.
When consumer cloud storage services such as iCloud are used in the workplace, employees are usually unaware of the security risks. Whilst their intentions are often good, educating staff is an essential step to ensure the potential threats are understood.
Implement the right technologies
After businesses understand why certain technologies are used within the workplace and have communicated the potential risks, they need to look at the current technology that they are already using and how they can deliver the functionality employees require to be more productive.
For many companies, enterprise-grade remote working and collaboration is becoming a necessity. By properly integrating these collaboration technologies into their environment, organisations are able to ensure that all employees are using the same technology and that allows administrators to properly and effectively manage confidential data, ensuring it is kept safe.
These professional services also offer considerably more security and privacy than their consumer counterparts. For example, a large number of consumer cloud storage and collaboration services lack encryption features and can only offer low level security. Their business grade alternatives can offer much more robust data security such as two-factor authentication, integration with Active Directory and assurances regarding encryption and data sovereignty.
Following the introduction of this type of software into the workplace, companies can feel more at ease that their staff are working productively whilst adhering to the acceptable usage policy. For the end user, the benefits over a consumer service are perhaps less obvious. Whilst the functionality they receive will be almost identical to using consumer services such as Dropbox and iCloud, they will have a much safer and more secure collaboration tool that will allow for effective remote working whilst ensuring that they are personally less likely to fall foul of data privacy and protection legislation.
Chris Sigley is general manager, Redstor
