Cloud

Bring your own apps: The new consumer threat to the CIO

Non-standard apps and cloud services are sneaking into the workplace. Here's what you need to be prepared for.
The CIO's control over workplace IT is gradually slipping away as today's digitally-savvy workforce have decided they want to call the shots when it comes to the technology they use at work. But it's not just their iPads and laptops that staff are bringing into the office, they're also sneaking their own apps onto the corporate network – introducing a new security headache and management challenge for the CIO. Whether that’s sharing documents in the cloud via Dropbox or Google Docs, downloading document reading apps or installing open source office and collaboration software – workers are no longer grateful consumers of software given to them by the IT department, as Mark Bramwell, CIO for the global health foundation the Wellcome Trust, points out. “We talk about a tech-savvy community but it goes far beyond that. People are used to everything from downloading software, to setting up and configuring it. Everybody is potentially now a developer and a configurer of applications,” he told me at an event to launch “Great expectations or misplaced hopes?”, a report by the Economist Intelligence Unit looking at changing workplace technologies. The CIO has to accept, Bramwell said, that there are no watertight methods for securing sensitive corporate data stored in a public cloud-based app or service. ”If you are looking for guarantees over availability or security there are not solutions that we can totally guarantee as an IT department, because as soon as it [corporate information] leaves this building it is out of our control, it's in the public domain,” he said. Protecting valuable corporate data stored in cloud-based consumer apps is as much as a challenge for IT chiefs as securing data on consumer devices. Whereas tablets and smartphones can be updated with software to remotely wipe them if they are lost or stolen, the enterprise IT team will not usually have the same ability to directly erase data in the case of a cloud-app being compromised. If member of staff's account with a public cloud storage provider is compromised they may not know about the breach for some time until after it happens - unlike when a personal device is lost and the risk to the data stored on it is immediately apparent. There is also the risk that by copying corporate data to a public cloud provider's server, staff may be breaching data protection laws governing regions where certain information can be stored. But consumer apps in the workplace don't just carry a security risk, once non-enterprise apps start to proliferate in the workplace, and the helpdesk requests start to build up, they can be a burden on the in-house IT team. ”Clearly there's cost of ownership,” said Bramwell. “I can support 100 document reader applications if I have an expanded team who is proficient and knows the ins and outs of every one of those 100 applications. That clearly comes at a greater cost than only having one or two document reader solutions where I only need one person who's proficient in them to support and maintain them. ”Where there are a proliferation of solutions it's not about being prescriptive about what people can and can't do, it's about making sure they integrate properly, that people are aware of the risk and issues, and service levels they might face from using those.” While staff usually choose to use personal apps or devices to make their work life easier, the adoption of new apps can also introduce new burdens for them. Take the Wellcome Trust's experience during its 18 month trial of paperless committee meeting, using readers on the iPad to access committee documents. Bramwell said: ”All of a sudden you've introduced a step where somebody within business has to convert a word document into a Pdf, and that then has to be emailed or put in a repository for them to pick up and somebody then has to pick that up and load that onto a reader on the iPad. ”It's clearly more efficient than carting around several hundred pounds of paper, but a different way of working that means there is extra effort elsewhere in that workflow that people have to embrace,” he said. Stopping staff from installing their own apps or blocking access to certain software-as-a-service offerings isn't really viable, due to ever present threat of workarounds, and also risks barring the workforce from utilising a genuinely useful business tool. A better way to deal with the spread of consumer apps, Bramwell said, is to educate staff about what information can be safely stored outside of the corporate system and the implications of installing personal software or accessing non-enterprise services at work. If a workforce remains determined to use an unsanctioned app or cloud-service that is causing problems for your organisation, then blocking access is not necessarily the answer. Examine why staff seem determined to use this app or service, and see if you can develop or source an alternative offering that doesn't throw up the same security or management problems, but that matches the consumer product for usefulness: ”What we need to do as CIOs is not react and respond, we need to move ahead proactively, by providing solutions that support the enterprise to collaborate and share information in ways that are equally readily available, equally intuitive and that perform equally well,” Bramwell said.

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

10 comments
Too Old For IT
Too Old For IT

If it doesn't work on the network as we have designed it, tough. You get to figure it out. In addition, it will be no surprise when they are escorted from the building when their "must have" unsupported app or "must use" in the cloud file storage causes a data breach, or regulatory fine.

yorkshirepudding
yorkshirepudding

Working for the UK civil service is like stepping back in time. The IT service provider, I will call them Mordac to protect the names of the guilty, has only just made it possible for us to open Office 2010 documents, depite the Office 2003 add in being freely available for years. IE 8 only arrived late last year. When I can't even access the command prompt or store anything on the C drive, it forces you to find work arounds. When business tools don't meet business needs, it forces us to build our own solutions. I how have about 10 (and growing) different VBA tools to support Outlook (did I mention no email archiving?), and business functions.

Charles Bundy
Charles Bundy

I've been at this for a quarter century now and the customer base has always attempted to bring in personal hardware & software. Same goes for offsite data whether that is on a floppy or the latest cloud storage. In shops where I???ve been in charge we roll with the tide because I believe in ???befriending??? rather than ???controlling???. That way it???s an opportunity instead of a threat. In my experience you have a much greater chance of successfully managing what you know about!

Hans Schmidt
Hans Schmidt

Reminds me of the time when I worked in the government of a BIG state. The CIO of our department insisted on equipping new computers with a suite that nobody used or wanted. The people who were computer literate in my unit, maybe 100 statewide had already chose a defacto standard, Word Perfect, and had learned how to use the apps and supported each other. Well, he decided that we should have something we didn't need or want based on what someone else told him. Typical. Trying to get support from them was useless. They had no dedicated support team, but they wanted to control everything.

NickABryant
NickABryant

This is happening because IT stills sees their job as administering mail servers and acting as a blocker to new technologies. If IT doesn't offer the business better ways to collaborate and deliver objectives, then people will work around them.

rproffitt
rproffitt

Today, now, my work has me supplying my own laptop(s) and placing bear traps in the door way that only snap when the IT staffer steps into it. At least they don't suffer long. I write embedded applications and maintain some old apps that use tools that no IT wants to go near. Yet these are core to the business. No sneaking. It's part of the job. (embedded) Bob

aevans196204
aevans196204

Whilst I agree that the add-ins to open the later releases of programs you use should be made available in a more timely manner there is no real need for general users to have access to the command prompt or access files on the C: drive (they should be on a network drive to ensure they are backed up). To prevent the spread of malicous code there is a code of practice all networks need to adhere to in the UK public sector which means only patchable software is used and certain security principals be followed. One of the biggest issues that arise is where users write their on (undocumented add-ins) that when they leave fall on the IT support to sort out. I am sure there will be an IT Policy that you are breaching by installing your own code - if it is useful and required then work with your IT support to it use. If, as you say, your business tools do not match your business needs then you need to talk to your IT to come to a solution - after all do they come in and change the way you do your job because they think they know better? The civil service has enough isses with politicians thinking they know better and make changes without knowing the implications - now users think because they own a PC they know more than the professionals.

bellrm
bellrm

The PC got into many companies through, purchasing signed-off by departmental managers. Obviously as time went by, the PC (and enterprise systems) gained capabilities that enabled the PC to before a fully fledged component of the enterprise IT infrastructure. I see the same now, many of the devices and app's being brought into business today are just as enterprise unaware as the early PC's. I think a signigificant part of the problem Mark Barmwell is trying to convey, is that with consumer devices, such as the iPad, it is very difficult to lock them down and hence restrict users. The challenge the CIO and IT have is providing the core platform the business needs and ensuring it evolves to support the business. Part of this is harnessing the capabilities of the workforce to identify new technologies (devices and apps) that are helpful to the business, and incorporating them into the core offering. "The CIO has to accept, Bramwell said, that there are no watertight methods for securing sensitive corporate data stored in a public cloud-based app or service." I disagree, it is up to the business (ie. the other directors and senior managers) to accept. All the CIO can do is to offer and implement solutions that reduce risks. Finally, the example of the paperlist committee meeting is a good example of what can happen when IT either are not involved or fail to engage. The problem cited of users having to actively be involved in document conversion and distribution can be put down to a failure of analysis and design; alternatively this may have been deliberate as given the trial was likely to senior managers, getting them to feel some pain can be helpful in getting budget sign-off... However it is not an example of users bring their own app's.

spdragoo
spdragoo

Too many users have the mentality of, "I prefer using software X, so I don't care that my employer [b]requires[/b] the use of software Y instead. I know better than my bosses & the CIO/CFO/CEO, so I'll just break the workplace rules & do it my own way anyway". Kind of the same attitude as, "I don't care if it's against the rules, I'm going to give my family & friends the 'special discount', & screw the company."

yorkshirepudding
yorkshirepudding

I do not profess to know more than IT professionals about IT, but I do know more about what we do and what our needs are. Every business need our team has had, I have raised with IT, who in each case have said they are not willing to do anything and we just have to manage things as they are. I should point out that the IT team are more willing than the service provider - the service provider (their contract runs out next year) - throw as many hurdles as they can and will charge over the odds for the smallest change, because they know their contact is ending and we (that is the whole organisation, not just my team) is not happy with them. To use one example, email archiving: Managing EU funds requires all emails to be kept up to 2025. IT's solution, we should save each individual email by dragging it from Outlook to a folder on the shared drive. My solution, to write VBA code that saves the email message with a meaningful filename (date, time, inbox/sent, sender, conversation topic) and writes a record to a database (with a link to the saved file) to enable easy searching. The IT team are actually considering rolling out my solution wider to address issues where other users have a need to archive emails. For the record, I always thoroughly comment my code before rolling it out any wider than my own personal use. I concede there are some valid reasons to have things locked down but every place I have worked before this, they have coped with less locking down than this. I am a laptop user, due to frequent travel, but the only way I can take a database with me to work on while on the train is by copying it to a memory stick as databases are excluded from the sync of my personal area, and I can't copy it anywhere else. I do otherwise only use network drives (even at home, I use network drives all the time rather than the c drive). Also, we are not able to follow shortcuts from within applications - we have to navigate through all the folder structures simply to save a file. The point I am trying to make is that while in a perfect world, IT would work constructively with users to meet business needs in the best way possible, not all IT professionals have the same level of professionalism or bureaucracy gone mad just prevents anything getting done. When my bosses demand something, and I can't get anywhere from talking to IT, I still have to do something.