The rise of ‘bring your own collaboration’ (BYOC)

It would be fair to assume that anyone working in the data security industry would be at least familiar with the concept of ‘bring your own device’ (BYOD) by now. The prominent trend for employees to use their own laptops, smartphones and other devices to handle sensitive company information has been repeatedly highlighted as a significant threat to the security of corporate data over the last 18 months or so.

However, as the contemporary global workforce becomes increasingly mobile, employees are required to communicate and collaborate with a growing number of colleagues, customers and stakeholders. The need to achieve this from various locations, often whilst working to strict deadlines, has meant that more and more employees are bringing consumer-oriented cloud storage and collaboration services to the professional environment.
The use of consumer file-sharing software like Dropbox in the workplace has presented a new set of data security hurdles for IT managers and CIOs to overcome. These were demonstrated at the beginning of this year, when users of file-sharing site, Megaupload, were at risk of having a significant number of their data files examined and deleted after the site was found to have facilitated millions of illegal downloads.

While using these consumer services has led to greater productivity and convenience, they do not have corporate Service Level Agreements (SLAs), corporate terms of use and their positions regarding data privacy are often dubious. This absence of any form of policy or protocol means that many employees may be unwittingly bypassing critical compliance regulations when sharing sensitive company information with colleagues, customers and suppliers. Organisations could even see themselves on the receiving end of a civil court case if they are found to have unintentionally leaked any confidential information through consumer-grade collaboration software.

Companies that allow employees to select their own collaboration tools are also running the risk of ending up with a plethora of redundant applications installed on their systems. The accounts department may opt to use Dropbox whereas the sales team may decide to use Google Drive; this has the potential to create confusion when it comes to inter-department file-sharing and collaboration.

So how can IT managers and CIOs effectively manage BYOC, ensuring that their company remains compliant to collaboration and file-sharing regulations without hindering the vital collaboration process?

 

Education

One of the main issues facing CIOs and IT managers when tackling BYOC is the fact that many employees may be so wrapped up with meeting deadlines that they have not stopped to think about the potential implications of utilising consumer-grade software. It is therefore important to educate them on the dangers.

As a starting point, companies should revise their wider Acceptable Usage Policy (AUP) to include a section pertaining to the use of consumer software in the workplace. This should include all prohibited software along with the sanctions for breaching that section of the AUP. It is also advisable to discourage employees from using personal email accounts to discuss work related topics or exchange company documents, as these may also lack the appropriate SLAs.

It is vital that companies follow this up with meetings or updates to explain the reasons for these changes to the AUP. Failure to do so may lead to the prohibited software becoming ‘taboo’ and employees feeling that senior management is being unreasonable resulting in them using the consumer-grade software anyway.

 

Understanding

Once a company has laid down the law when it comes to BYOC, an important question must be asked: why did employees decide to use consumer-grade collaboration software in the first place? If the majority of employees are utilising a consumer service such as Dropbox as a means of increasing productivity or facilitating mobile working, this may present a shortcoming in the company’s service provision.
Communicating with employees to establish what particular functionality made them decide to turn to a consumer option will work wonders for acquiring a view of the bigger picture and will be invaluable when formulating a way to address the issue. Perhaps the company offering is outdated and slow? If the software is only available internally, it may be frustrating for employees wanting to collaborate or share files with external stakeholders such as customers or suppliers.

 

Business-grade alternative

In response to this growing requirement, enterprise focussed access-anywhere storage and collaboration services such as Redstor’s Centrastor service are being developed. The benefits they bring are numerous.

For the CIO, IT manager or Risk manager, these services provide a means of (re)centralising control over corporate data. By ensuring all staff are using the same technology and by providing a single centralised console from which to administer all users’ access, IT Administrators can ensure they have absolute visibility and control over the data they’re responsible for protecting. If the service chosen features the ability to integrate with existing management systems such as Active Directory, it can then be easily incorporated into an existing IT environment in such a way that the additional management required is negligible.

In addition to providing centralised control, these services also include advanced security features lacking in their consumer counterparts. For example, a large number of consumer cloud storage and collaboration services do not feature encryption. The result is that a company’s data may be stored on low security file servers belonging to the service provider in whatever country or countries their service is provided from.

Setting aside the fact that there may be active government or industry legislation prohibiting the data in question from crossing borders, the data is still sitting unencrypted on a third party’s servers able to be read by the service provider. In a worst case example, if the consumer service provider is hacked, which has proven all too common recently, the data could be easily read by the hackers themselves. Taking or transferring data offsite unencrypted, especially if it contains personal information is, itself a very serious breach of legislation and an offence for which the Information Commissioner’s Office (ICO) is capable of levying a fine of up to £500,000.00.

A true business grade alternative offers very strong encryption (for example 256-bit Advanced Encryption Standard (AES) encryption) of data before it leaves the employee in question’s device. This ensures the data cannot be read except by the company to whom it belongs. Similarly, a true business grade alternative will include stringent financially backed SLAs regarding where that data will be held geographically and will provide insurances in terms of the level of availability that will be provided. If these SLAs are not achieved then the subscriber organisation will be eligible for compensation.
A provider of enterprise cloud services would also likely have gained accreditations such as ISO 9001 and ISO 27001 in order to provide reassurances to clients that their quality and security processes are sufficiently robust. These accreditations are less prevalent in the consumer arena and, as such, it’s more challenging to vet potential suppliers.

For the end user, the benefits over a consumer service are perhaps less obvious. Whilst the functionality they receive will be similar to that which they could gain using a consumer service, they will no longer be placing themselves potentially at risk of dismissal in severe instances and their organisation at risk of fines, loss of reputation or loss of intellectual property. They will also gain access to support from their helpdesk in the event of an issue and their cloud storage and collaboration will be centrally configured and properly integrated rather than potentially blocked by enterprise firewalls.