Cloud

Bring your own apps: The new consumer threat to the CIO

Non-standard apps and cloud services are sneaking into the workplace. Here's what you need to be prepared for.

The CIO's control over workplace IT is gradually slipping away as today's digitally-savvy workforce have decided they want to call the shots when it comes to the technology they use at work. But it's not just their iPads and laptops that staff are bringing into the office, they're also sneaking their own apps onto the corporate network – introducing a new security headache and management challenge for the CIO. Whether that's sharing documents in the cloud via Dropbox or Google Docs, downloading document reading apps or installing open source office and collaboration software – workers are no longer grateful consumers of software given to them by the IT department, as Mark Bramwell, CIO for the global health foundation the Wellcome Trust, points out. "We talk about a tech-savvy community but it goes far beyond that. People are used to everything from downloading software, to setting up and configuring it. Everybody is potentially now a developer and a configurer of applications," he told me at an event to launch "Great expectations or misplaced hopes?", a report by the Economist Intelligence Unit looking at changing workplace technologies. The CIO has to accept, Bramwell said, that there are no watertight methods for securing sensitive corporate data stored in a public cloud-based app or service. "If you are looking for guarantees over availability or security there are not solutions that we can totally guarantee as an IT department, because as soon as it [corporate information] leaves this building it is out of our control, it's in the public domain," he said. Protecting valuable corporate data stored in cloud-based consumer apps is as much as a challenge for IT chiefs as securing data on consumer devices. Whereas tablets and smartphones can be updated with software to remotely wipe them if they are lost or stolen, the enterprise IT team will not usually have the same ability to directly erase data in the case of a cloud-app being compromised. If member of staff's account with a public cloud storage provider is compromised they may not know about the breach for some time until after it happens - unlike when a personal device is lost and the risk to the data stored on it is immediately apparent. There is also the risk that by copying corporate data to a public cloud provider's server, staff may be breaching data protection laws governing regions where certain information can be stored. But consumer apps in the workplace don't just carry a security risk, once non-enterprise apps start to proliferate in the workplace, and the helpdesk requests start to build up, they can be a burden on the in-house IT team. "Clearly there's cost of ownership," said Bramwell. "I can support 100 document reader applications if I have an expanded team who is proficient and knows the ins and outs of every one of those 100 applications. That clearly comes at a greater cost than only having one or two document reader solutions where I only need one person who's proficient in them to support and maintain them. "Where there are a proliferation of solutions it's not about being prescriptive about what people can and can't do, it's about making sure they integrate properly, that people are aware of the risk and issues, and service levels they might face from using those." While staff usually choose to use personal apps or devices to make their work life easier, the adoption of new apps can also introduce new burdens for them. Take the Wellcome Trust's experience during its 18 month trial of paperless committee meeting, using readers on the iPad to access committee documents. Bramwell said: "All of a sudden you've introduced a step where somebody within business has to convert a word document into a Pdf, and that then has to be emailed or put in a repository for them to pick up and somebody then has to pick that up and load that onto a reader on the iPad. "It's clearly more efficient than carting around several hundred pounds of paper, but a different way of working that means there is extra effort elsewhere in that workflow that people have to embrace," he said. Stopping staff from installing their own apps or blocking access to certain software-as-a-service offerings isn't really viable, due to ever present threat of workarounds, and also risks barring the workforce from utilising a genuinely useful business tool. A better way to deal with the spread of consumer apps, Bramwell said, is to educate staff about what information can be safely stored outside of the corporate system and the implications of installing personal software or accessing non-enterprise services at work. If a workforce remains determined to use an unsanctioned app or cloud-service that is causing problems for your organisation, then blocking access is not necessarily the answer. Examine why staff seem determined to use this app or service, and see if you can develop or source an alternative offering that doesn't throw up the same security or management problems, but that matches the consumer product for usefulness: "What we need to do as CIOs is not react and respond, we need to move ahead proactively, by providing solutions that support the enterprise to collaborate and share information in ways that are equally readily available, equally intuitive and that perform equally well," Bramwell said.

About

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks