The study published in May 2013 by Ipsos Mori on behalf of Huddle found that a whopping 38% of U.S. office workers admit to storing work documents on personal cloud tools and services, including Dropbox, Google Drive and Apple iCloud. A staggering 91% report that they regularly use personal devices to access, modify and store proprietary files exposing their employers to information security risk.
The sheer volume of workers engaging in risky behaviors around managing their files and workflow habits demonstrates a pervasive disconnect between corporate policies, technological solutions and employee needs. When technology fails to keep up with workers, human nature dictates that workers will adapt and figure out a workable solution.
On an individual level, the information security risks associated with storing files on personal cloud accounts and accessing data via personal mobile devices seems harmless enough. Workers save time, avoid frustration and can work remotely without disruption. However, when you amass the thousands upon thousands of seemingly innocuous instances, the threat of breach on a macro level is enormous and eye popping.
It’s not a benign, ambiguous cyber security threat. The study reports that half of U.S. office workers want to be able to work from anywhere and quickly and easily access all of their documents. They don’t want to hunt around for “shared” documents on the network or worry that they’re working with an outdated file. And if there’s a problem with accessing the network remotely, they don’t want to be stuck unable to get to a file they need to get their job done. So they save files on USB drives, send them via email attachments and save them on personal cloud accounts to assure that they have the access they need when they need it.
Why are workers so cavalier about accessing and storing confidential files off of the corporate network and lackadaisical about protecting information security? Because for many organizations, there’s no way to track or prevent this activity and no meaningful personal culpability attached to engaging in risky behavior or causing a breach.
What does this mean for identity and access management and cyber security risks? It means that if you’re working with a legacy identity management software system that keeps content locked down within the walls of your organization, your employees will find a way to port and store what they need to get the job done and leave you vulnerable to security breach. If you’re not tracking personal mobile devices accessing your systems, you’re turning a blind eye to the biggest and most pervasive data security threat facing your organization.
If your employees are accessing and storing files on personal devices and cloud accounts, you’ve essentially lost control of your proprietary data and cyber security. Your files are stashed all over the place for anyone to access at any time, including terminated employees and competitors.
Just imagine the damage a disgruntled or terminated employee can wield with company files stored in personal locations. Even if you terminate their access to your systems immediately, you can’t be sure that you’ve retrieved every last file that they’ve stored elsewhere and what they do with your data once they have left the organization.
The threat extends beyond the disgruntled and malicious. The proliferation of benign negligence — defined as not paying attention to rules protocols because they’re a pain in the neck — is the largest, most persistent and serious threat of all. It doesn’t matter if a breach is unintentional or intentional — the damage is the same.
The reality is that if you merely focus on educating employees around data security protocols, it’s a futile exercise. It’s far more effective to recognize and address the unmet needs of your employee base around file access management and working remotely. When you stay one step ahead of your employees and accept the fact that they will use personal devices on the job and get frustrated and figure out how get around the limitations of your identity access management protocols and capabilities, you’ve taken a critical step in the right direction.
Watch Ryan Ward, Chief Innovation Officer at Avatier, describe how to return identity and access management to the business user with Avatier’s Identity Access Management software.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.