This article can also be found in the Premium Editorial Download "CIO Decisions: Establishing an effective BYOD security policy."
Download it now to read this article plus other related content.
When it comes to consumerization -- whether you're referring to social media, mobile devices, cloud services or all of the above -- 99.9% of employees will use common sense and take corporate data security measures into consideration before they share data,
One breach could ruin us, so we ask how [the vendor] does backups, what they have for DR, what their security posture and capabilities are, who is responsible should something happen.
vice president and corporate CIO, The Hanover Insurance Group Inc.
Still not worried? Talk to an information security officer in charge of a heavily regulated company like defense and aerospace systems maker Raytheon Co. about the use of cloud services or mobile devices, and the observation "It's that 0.1% that can kill you" skyrockets.
"I don't think you can get away with saying [to auditors] that we educated our users about our security policies. Legally, it's not defensible," said Michael Daly, corporate director of IT security at Raytheon. "We need to do more due diligence, to the extent of being able to explain what we do to enforce [a security policy], how we measure compliance and -- when we do discover someone is out of compliance -- how we handle that."
Put the onus for data security measures on the vendor
Hanover's Trigo doesn't disagree on the due diligence requirement. He has faith that users will do the right thing, but that doesn't mean he doesn't have an arsenal of data security measures on the back end. His multi-pronged security strategy is far-reaching, but it doesn't put the onus on the user: It puts the onus on the vendor.
Trigo and his chief architect worked with Software-as-a-Service vendors to develop single sign-on for the many SaaS applications used by Hanover's 5,000 employees. When a user does attempt to buy a cloud service directly from a vendor, Trigo has set up the network to block the use of that service. "We have excellent relationships with the business, so they usually come to us to review a vendor and the contract before they buy something, but we also have a firewall and a central contract group that reviews all technology contracts before a service -- inside or outside of our walls -- can be bought," he said.
Trigo is also pretty comfortable keeping large amounts of information in the cloud, whether with Microsoft's hosted Exchange service or Salesforce.com, based on the due diligence that goes on behind the scenes, he said. "One data breach could ruin us, so before we engage in a contract, we ask how [the vendor] does backups, what they have for DR [disaster recovery], what their security posture and capabilities are, who is responsible should something happen.Contractually we make sure we are covered very well."
More on mobile data security measures
Put users first when it comes to mobile device security
Mobile device security necessary but secondary to business strategy
Rewards of mobile devices overtake security risks
Terri Tyler, information security officer at the Los Angeles Metropolitan Transportation Authority, is also a stickler for contract details. When she signs with a new service provider, she writes into the contract the right to audit the vendor's systems and examine its logs to see how the vendor is coding; on the front end, she has workstations set up for timed lockdowns if a user is careless.
But Tyler also puts some of the security burden on business managers -- in some cases, asking them to sign a disclaimer if they want a service despite warnings from IT not to use it. "Humor is the best weapon, and that's how I approach it if they still want to use something after I explain the possible ramifications and tell them it's not a good idea," she said.
The social media security conundrum
From a security perspective, it's a bit easier to control employee-owned mobile devices than it is to constantly monitor social media access and use. Questions abound, and they range from who is liable should an employee tweet sensitive company information to what the business case is for allowing employees to use Facebook during work hours.
"I think you have to build a whole new set of security policies and test them in a legal framework for [social media, cloud services and mobile devices]," Raytheon's Daly said. "Then there is the whole liability issue. [In one case], the government subpoenaed Twitter for deleted tweets [produced by an Occupy Wall Street protester]. That is a perfect example of how data in the cloud is outside your control." After all, the subpoenas, and Twitter's response to some of them, make it clear that you don't own your tweets.
Trigo is more interested in how social media platforms like Facebook can be used than in how access to them can be blocked; for that reason, Hanover Insurance employees are allowed to use Facebook at work.
"I heard about a 15-year-old girl who set up a Facebook page after a tornado to use as a communication vehicle with the Red Cross and find family members," Trigo said. "Should we do that? Could we run a business from [Facebook]? How to use it and what to use it for -- those are the things that really need to be thought through."
And those questions can't be answered if access is prohibited.