Security Talk Column / Columns / Cyber Safety

Are Productivity Apps More Harm than Good?

According to the website “Tech Cocktail,” there are some “awesome apps” out there to make employees more productive at work.

Yair Grindlinger

Yair
Grindlinger

According to the website “Tech Cocktail,” there are some “awesome apps” out there to make employees more productive at work. Work+, Evernote, Wunderlust, Time Doctor and Insightly are just a few.  But those apps that some employees say that they need can also be unsafe. So some IT departments are limiting their usage. The result? Employees become less productive – or alternatively, rebel, putting their company’s data at risk.

FireLayers CEO Yair Grindlinger offers tips for keeping both employee productivity and creativity high, while keeping company information safe.

 

Why are there misaligned priorities between IT security departments and employees?

While employees and the business look for functionality, usability and value-for-money, IT also looks at the non-functional aspects such as reliability, security, manageability, compatibility, and so on. Naturally, more often than not, there is a tradeoff between the functional and non-functional capabilities of technology products and services, especially for early stage companies. It may take some time for cloud application solutions to reach enterprise-grade maturity. I think the gap is slowly closing as technology is evolving and the cost of going enterprise-grade is gradually being reduced, while at the same time CISOs are developing a lot more flexibility and moving from heavy-weight rigid practices like ITIL and Six-Sigma to more lightweight, agile, adaptive and iterative practices.

 

Are there some types of applications that are more unsafe than others? 

I think it’s a lot more important to understand what level of risk the organization finds comfortable, and hence what are the protections it expects its applications to have. It is a lot more practical to form a picture of the organization’s information assets and to build a threat model around them. Then, through simulations it is easy to see how the cloud applications handling those assets fit into the model. That being said, in general, the higher the complexity of the application the greater the chance of a security failure. Typically, applications with diverse third-party integrations: APIs, mobile apps and so on, have a wider attack surface than “monolithic” applications.                             Also, although I believe in transparency, to an extent, security through obscurity works. Applications that are geared towards the enterprise and B2B, rather than B2C or C2C tend to be safer for the simple reason that they are less likely to be audited or exposed for testing. But, IT can only do so much to keep cloud applications and data secure. CISOs must also foster responsible cloud application usage among the organization’s employees. Training and support enabling responsible cloud application usage, specifically those that handle sensitive data (like IP, customer/employee PII, proprietary business information and financial data), manage infrastructure duties and financial transactions.

 

Can employers limit the types of cloud applications that are used in the workplace?

To a certain extent employers can limit cloud application usage, even institute blacklist policies, but in my view it’s futile. There is no way of 100-percent limiting exposure without affecting employee productivity. Simply blocking cloud applications leads employees to find alternative cloud-based solutions to their IT needs. Employee awareness and engagement is a lot more effective in ensuring responsibly cloud application usage. Understanding the jeopardy misuse of cloud applications can pose organizations tends to be a stronger driver than blanket blocking of cloud applications. IT can ensure a greater impact on cloud application security with training and knowledge transfer.

 

Why not just place a general “ban” on using certain cloud applications while working, like a no-smoking policy?

Banning specific cloud applications is bound to fail. Maintaining a blacklist of cloud applications is ineffective, at best. Numerous new cloud applications are launched every day – it is literally impossible to maintain such a list without a significant amount of false negatives. On the other hand, maintaining a whitelist is impractical without significantly affecting productivity for the same reasons. Being proactive and responsive to employee and customer needs will empower an organization to provide solutions with the right balance of usability and security meeting their risk profile.

 

What tips can you offer to keep employee productivity high and data safe?

The best advice I can give is to have a rigorous adoption practice in place. Allow for flexibility in terms of integration, size and depth of roll-out, modifications in features when considering security risks and user compliance. Furthermore, it is crucial to incorporate cloud application security into all aspects of the adoption cycle: from design, testing to ongoing maintenance.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Diane Ritchey

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+