The dark side of BYOD

Exploring new mobile and cloud platforms without a governance strategy can have consequences.

At the beginning of my IT career, I witnessed a number of decisions and project management practices which, at the time, just didn't seem to make sense. But I was young, and I often thought to myself that the people involved must have some other reasoning, some justification for their actions that I was just not privy to.

In short, I remained quiet when I should have spoken up. What two decades of experience has taught me is that there is rarely reasoning or justification behind actions that, at a gut-level, are clearly bad IT practices. We inherently recognize when common sense has taken a back seat.

There is most definitely a dark side to BYOD. For the most part, I am an advocate for the consumerization of IT (using non-standard apps and tools as a way to increase end user engagement and productivity) and support the bring-your-own-device model.

However, as a seasoned manager and IT operations leader, I recognize the risks that come with the model if organizations do not properly plan out their strategies, putting sufficient protections and governance practices in place to manage the potential risks that could come from these unsupported devices and applications. End users often want what’s NEW, but there are valid reasons for imposing and enforcing safeguards when giving mobile business users access to your otherwise secure, scalable, and compliant systems.

Some people equate governance with bureaucracy and hierarchical systems, but those perceptions often come from a lack of appreciation for the potential risks involved. Governance is about checks and balances -- supporting the tools and systems your end users want, but in a way that is manageable and which follows defined protocols.

Examples of rogue IT practices

recent uSamp survey found that 41% of US mobile business users have used unsanctioned services to share or sync files, despite 87% saying they are aware that their company has a document sharing policy that prohibits this practice.  And, 27% of mobile business users who “went rogue”, reported immediate and direct repercussions, from lost business to expensive lawsuits and financial penalties that cost $2 billion. 

While most IT professionals understand these risks viscerally, some business users need to crash and burn before they are willing to adjust their risky behaviors, which is not a message your employer wants to hear. Luckily, there is another way: learning from the mistakes of others. This month, I am one of six mobile security and IT experts judging a "Rogue IT" contest.  We’re collecting anonymous stories from the community about mobile and cloud-based app failures caused by business and IT users who disregard corporate governance practices. These real-world horror stories are great examples of the prevalence of rogue IT behaviors at work, and the very real risks they bring.

For example, within a $500 million health and wellness company, a consultant was hired to audit their IT systems to ensure their systems and practices were compliant with industry regulations and best practices. It was very quickly identified that end users were sharing sensitive customer data (credit card numbers, bank routing numbers) using public email channels (Hotmail, Gmail) and through consumer instant messaging platforms (AOL Messenger, Yahoo Messenger, MSN Messenger), despite approved and documented communications processes.

Because the consultant was required to report the violations, the CFO immediately took steps to lock down all unauthorized collaboration tools, and instituted immediate policy changes. The company was given just days to comply, with hefty fines for each violation identified plus more fines for each day their systems were found to be non-compliant.

In another example, a European company was getting an increasing number of requests from its users to connect personal iPads and smartphones to company systems. While IT resisted these requests for several months, the company finally decided to open up its email systems to a “select number of executives” and shared the necessary passwords. Six weeks later, IT ran an audit on the system and found ten-times the number of employees connected into the corporate back end environment as had been approved. The passwords had apparently been shared across the organization.

And at a large non-profit, the security team found out that several teams using Dropbox without IT authorization had recently been hacked. To understand how their system had been compromised, they contacted the popular cloud-storage vendor, telling the person over the phone that they wanted to know more about how their organization had been using the platform. The phone rep volunteered more data than they had expected, telling them "We have a list of 1600 user names and their email addresses. Would you like that list?" The cloud-storage vendor was clearly interested in moving to them to the enterprise version, and was willing to share a customer list without even authenticating the person who called!

Proactive governance

There are similar traits that run through each of these real-world examples. For one, individuals subverting established processes and informed IT leaders with the goal of “getting work done faster." On the flip side, many IT organizations are not listening to the needs of their employees, causing some to feel that they have no other choice but to "go around" IT so that they can get their jobs accomplished.

In each case, the lack of clearly documented -- and transparent -- change management practices may be at the root cause of the problem; practices that provide a more open dialog between IT and end users about what is needed, and how some consumer-driven tools and practices may not be the best fit for an enterprise.

Governance should not be feared or ignored, but looked at by both management and end users as an important aspect of the change management model. Organization make governance and change management a priority are able to more quickly recognize new requests as they come in, validate requirements to make sure requests are aligned with business activities, and ensure that all new tools and apps meet the standards and regulations, reducing the risks of data meltdowns and unintentional-but-potentially-significant losses.

Christian Buckley is the Chief Evangelist at Metalogix. Keep an eye out here for more coverage from Christian's stint as judge at the "Rogue IT" contest.