IT security professionals need to take steps to properly manage how employee-owned consumer devices are used in the workplace, analysts warned at Gartner's IT security summit in London this week.
With powerful consumer devices becoming increasingly ubiquitous in the enterprise, and homeworking on the increase, Gartner said it was important that technology privileges reflected genuine need to avoid security problems.
A survey by Gartner found that 15% of businesses will have at least some workers using their own devices by the year-end.
Brian Gammage, VP at Gartner, said it was crucial that the management of user-owned technology reflect the needs of staff carrying out day-to-day tasks, rather than simply the person’s rank within the organisation. Individual requirements of users in completing their work, weighed against the security risks they posed, ought to be the judging factors.
“It is vital to set policies on user-owned devices, and for the policies to reflect user profiles,” he said. “It is amazing how most companies focus on the technology they own and not on other devices and who is using them.”
One key area of risk being largely ignored was the technology being used by outsourced workers, in spite of the fact they were often handling sensitive data for the company they were serving and its customers. It was vital this technology was properly managed, Gartner said.
“I spoke to one major business that was even considering changing outsourcers to a company that would employ people working at home, on their own machines, handling sensitive information,” said John Girard, VP at Gartner. “They asked me what I thought, and I said I’d take a note of their name and make sure not to do business with them.”
But while it is important to set the right policies, analysts stressed that user-owned devices were no more of a security threat than other employee-controlled devices within the workplace.
Gartner said the key questions to ask when setting employee owned technology policies are:
- Who is using the technology?
- How controlled is the PC environment as a whole?
- What are the legal, compliance and service level agreement implications?
- Who is responsible for buying software licences and security technology for these machines?
- Who is responsible for updating security?
- Who pays for support?
- How does the company ensure that employees purchase the right machine for the job?
- What level of remuneration there is for employees for handling their own IT?