Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Cyber Security News / Security Talk Column / Columns

Are Productivity Apps More Harm than Good?

According to the website “Tech Cocktail,” there are some “awesome apps” out there to make employees more productive at work.

Yair Grindlinger

Yair
Grindlinger

According to the website “Tech Cocktail,” there are some “awesome apps” out there to make employees more productive at work. Work+, Evernote, Wunderlust, Time Doctor and Insightly are just a few.  But those apps that some employees say that they need can also be unsafe. So some IT departments are limiting their usage. The result? Employees become less productive – or alternatively, rebel, putting their company’s data at risk.

FireLayers CEO Yair Grindlinger offers tips for keeping both employee productivity and creativity high, while keeping company information safe.

 

Why are there misaligned priorities between IT security departments and employees?

While employees and the business look for functionality, usability and value-for-money, IT also looks at the non-functional aspects such as reliability, security, manageability, compatibility, and so on. Naturally, more often than not, there is a tradeoff between the functional and non-functional capabilities of technology products and services, especially for early stage companies. It may take some time for cloud application solutions to reach enterprise-grade maturity. I think the gap is slowly closing as technology is evolving and the cost of going enterprise-grade is gradually being reduced, while at the same time CISOs are developing a lot more flexibility and moving from heavy-weight rigid practices like ITIL and Six-Sigma to more lightweight, agile, adaptive and iterative practices.

 

Are there some types of applications that are more unsafe than others? 

I think it’s a lot more important to understand what level of risk the organization finds comfortable, and hence what are the protections it expects its applications to have. It is a lot more practical to form a picture of the organization’s information assets and to build a threat model around them. Then, through simulations it is easy to see how the cloud applications handling those assets fit into the model. That being said, in general, the higher the complexity of the application the greater the chance of a security failure. Typically, applications with diverse third-party integrations: APIs, mobile apps and so on, have a wider attack surface than “monolithic” applications.                             Also, although I believe in transparency, to an extent, security through obscurity works. Applications that are geared towards the enterprise and B2B, rather than B2C or C2C tend to be safer for the simple reason that they are less likely to be audited or exposed for testing. But, IT can only do so much to keep cloud applications and data secure. CISOs must also foster responsible cloud application usage among the organization’s employees. Training and support enabling responsible cloud application usage, specifically those that handle sensitive data (like IP, customer/employee PII, proprietary business information and financial data), manage infrastructure duties and financial transactions.

 

Can employers limit the types of cloud applications that are used in the workplace?

To a certain extent employers can limit cloud application usage, even institute blacklist policies, but in my view it’s futile. There is no way of 100-percent limiting exposure without affecting employee productivity. Simply blocking cloud applications leads employees to find alternative cloud-based solutions to their IT needs. Employee awareness and engagement is a lot more effective in ensuring responsibly cloud application usage. Understanding the jeopardy misuse of cloud applications can pose organizations tends to be a stronger driver than blanket blocking of cloud applications. IT can ensure a greater impact on cloud application security with training and knowledge transfer.

 

Why not just place a general “ban” on using certain cloud applications while working, like a no-smoking policy?

Banning specific cloud applications is bound to fail. Maintaining a blacklist of cloud applications is ineffective, at best. Numerous new cloud applications are launched every day – it is literally impossible to maintain such a list without a significant amount of false negatives. On the other hand, maintaining a whitelist is impractical without significantly affecting productivity for the same reasons. Being proactive and responsive to employee and customer needs will empower an organization to provide solutions with the right balance of usability and security meeting their risk profile.

 

What tips can you offer to keep employee productivity high and data safe?

The best advice I can give is to have a rigorous adoption practice in place. Allow for flexibility in terms of integration, size and depth of roll-out, modifications in features when considering security risks and user compliance. Furthermore, it is crucial to incorporate cloud application security into all aspects of the adoption cycle: from design, testing to ongoing maintenance.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Diane Ritchey

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.