Andy Travers, Vice President of EMEA (North, West, Central) for Fortinet
It appears that climate change is finally starting to make itself felt, certainly across Europe and particularly the UK, which is experiencing its wettest winter on record with widespread flooding causing chaos. Emergency agencies across the continent have been mobilised and are working to rescue affected communities, hold back floodwater and repair damaged infrastructure. The challenge for governments now is to try and shore up the defences against inevitable future flooding.
If only they had prepared the defences adequately in advance, we might not be witnessing such widespread devastation now.
This situation is a perfect analogy for what the business world is experiencing with regards to the threats and occasional devastation created by BYOD and, increasingly, Bring Your Own Cloud. The corporate world has seen a flood of mobile devices, and increasingly personal cloud accounts, entering its midst and, for the most part, has been struggling to keep control. There has become urgency for adopting the right security strategy in order to stop the steady stream becoming an incontrollable flood, so to speak.
Both climate change and BYOD are underpinned by our own innocence, ignorance and selfishness having a detrimental effect on the corporate world. In the case of younger employees, they have become accustomed to using their own devices and cloud applications and have an expectation to continue doing so in the work environment. Such is the pervasive and ubiquitous nature of cloud applications – now loaded as default on all modern smartphones, tablets and computers in the form of applications such as Dropbox and iCloud – that many younger people genuinely do not realise they are using the cloud, and if they do, are unaware or unconcerned about the potential dangers. And as a recent Fortinet global survey illustrated, far too many are resistant to any suggestion that they should alter their behaviour for the safety of the organisation.
The Fortinet survey of 3,200 21-32 year old employees across 20 countries should serve as a further dramatic warning for businesses to take this issue seriously and to put in place adequate and future-proof defence strategies. The vast majority of employees surveyed (89%) have personal accounts for at least one cloud storage service. 70% have used personal cloud storage for work purposes, with 12% admitting to storing work passwords, 16% financial information, 22% critical documents such as contracts and business plans, and 33% storing customer data. Alarmingly, 36% said they would contravene any policy banning personal cloud account use at work, even though increasing numbers of users are or have experienced cyber attacks themselves.
The risk to the enterprise is posed by the very blurring of the boundaries between personal and business use of online applications. Users are more careless and vulnerable in their personal computing habits than they are in a work context. For example, recreational applications, such as those spread via social media, are fertile grounds for malware. Once the cyber criminal has access to the user’s device, it will not be the Facebook or Twitter password that interests him, but the valuable assets such as financial information and passwords and the increasingly valuable Intellectual Property and business data that will be stored either on the user’s device or their personal cloud application. These are the assets the cyber criminal can get good money for. In a world where information and data are highly valuable and critical to the business, no enterprise can afford to let their own data be used against them or for the benefit of competitors.
Cybercriminals launching persistent attacks are aided and abetted by unwitting personal users who, the cybercriminal naturally assumes, will offer an easy access point for valuable business data via their personal devices. It is easier to get access to corporate data via the user in their personal realm than it is to attempt to break directly in to the enterprise network. And this situation is made even more sinister because the enterprise will often not be aware that the employee is transferring business data to their own device or personal cloud. How many businesses realise that 1-in-5 of their employees store critical business documents in their personal cloud? It is undoubtedly the case that many serious security breaches and thefts of company data are covertly conducted in this way and are never noticed.
With the impending widespread introduction of new connected technologies such as wearable computing, smart watches and connected cars, the situation is only set to become more complicated. Businesses need to heed this new warning and develop their strategies accordingly, implementing security intelligence at a network level to enable control of user activity based on device, applications and location.
As the Fortinet survey shows, businesses are largely ignorant of exactly where their critical business data is being stored by employees, and thus employees are increasingly the weak link in the security stance. IT managers need to develop strong policies and strategies to take account of the personal cloud. Alternatively, invest in some new buckets and mops in readiness for the inevitable cloudburst and flooding.