According to the website “Tech Cocktail,” there are some “awesome apps” out there to make employees more productive at work. Work+, Evernote, Wunderlust, Time Doctor and Insightly are just a few. But those apps that some employees say that they need can also be unsafe. So some IT departments are limiting their usage. The result? Employees become less productive – or alternatively, rebel, putting their company’s data at risk.
FireLayers CEO Yair Grindlinger offers tips for keeping both employee productivity and creativity high, while keeping company information safe.
Why are there misaligned priorities between IT security departments and employees?
While employees and the business look for functionality, usability and value-for-money, IT also looks at the non-functional aspects such as reliability, security, manageability, compatibility, and so on. Naturally, more often than not, there is a tradeoff between the functional and non-functional capabilities of technology products and services, especially for early stage companies. It may take some time for cloud application solutions to reach enterprise-grade maturity. I think the gap is slowly closing as technology is evolving and the cost of going enterprise-grade is gradually being reduced, while at the same time CISOs are developing a lot more flexibility and moving from heavy-weight rigid practices like ITIL and Six-Sigma to more lightweight, agile, adaptive and iterative practices.
Are there some types of applications that are more unsafe than others?
I think it’s a lot more important to understand what level of risk the organization finds comfortable, and hence what are the protections it expects its applications to have. It is a lot more practical to form a picture of the organization’s information assets and to build a threat model around them. Then, through simulations it is easy to see how the cloud applications handling those assets fit into the model. That being said, in general, the higher the complexity of the application the greater the chance of a security failure. Typically, applications with diverse third-party integrations: APIs, mobile apps and so on, have a wider attack surface than “monolithic” applications. Also, although I believe in transparency, to an extent, security through obscurity works. Applications that are geared towards the enterprise and B2B, rather than B2C or C2C tend to be safer for the simple reason that they are less likely to be audited or exposed for testing. But, IT can only do so much to keep cloud applications and data secure. CISOs must also foster responsible cloud application usage among the organization’s employees. Training and support enabling responsible cloud application usage, specifically those that handle sensitive data (like IP, customer/employee PII, proprietary business information and financial data), manage infrastructure duties and financial transactions.
Can employers limit the types of cloud applications that are used in the workplace?
To a certain extent employers can limit cloud application usage, even institute blacklist policies, but in my view it’s futile. There is no way of 100-percent limiting exposure without affecting employee productivity. Simply blocking cloud applications leads employees to find alternative cloud-based solutions to their IT needs. Employee awareness and engagement is a lot more effective in ensuring responsibly cloud application usage. Understanding the jeopardy misuse of cloud applications can pose organizations tends to be a stronger driver than blanket blocking of cloud applications. IT can ensure a greater impact on cloud application security with training and knowledge transfer.
Why not just place a general “ban” on using certain cloud applications while working, like a no-smoking policy?
Banning specific cloud applications is bound to fail. Maintaining a blacklist of cloud applications is ineffective, at best. Numerous new cloud applications are launched every day – it is literally impossible to maintain such a list without a significant amount of false negatives. On the other hand, maintaining a whitelist is impractical without significantly affecting productivity for the same reasons. Being proactive and responsive to employee and customer needs will empower an organization to provide solutions with the right balance of usability and security meeting their risk profile.
What tips can you offer to keep employee productivity high and data safe?
The best advice I can give is to have a rigorous adoption practice in place. Allow for flexibility in terms of integration, size and depth of roll-out, modifications in features when considering security risks and user compliance. Furthermore, it is crucial to incorporate cloud application security into all aspects of the adoption cycle: from design, testing to ongoing maintenance.