Workers in the United States are putting themselves and their employers at risk by indiscriminately using nonsecure apps services on their mobile phones and tablets for work purposes. A prime example: Estimates based on a new uSamp (United Sampling) survey calculate the fallout from storing corporate documents on publicly available cloud services has already cost businesses $2 billion. The survey of 500 U.S. business and IT workers was commissioned by enterprise mobile app vendor harmon.ie to gauge the extent to which mobile workers are going rogue, by ignoring organizational policies for mobile device usage.
The appearance of the survey coincides with a massive rise in people using their mobile devices for work. Gartner Research recently estimated that 60% of workers have used a personal mobile device for work, many through ubiquitous BYOD (bring your own device) programs. I have written about the dangers of BYOD in the past, but this survey captures a new dimension of the prospect for serious mobile disasters brought on by "rogue IT," which is frightening because its scope is so large.
How large? The survey found 41% of workers have used an unsanctioned cloud service in the last six months, despite the fact that almost all of the respondents (87%) knew their company had a policy forbidding them from doing so.
Are businesses worried? You betcha. The survey found that the number one worry of corporate information technologists is the fear of a data meltdown due to compromised documents lost via unsecured file sync and storage services, beating out the threats of malware and viruses. File sync and storage services allow users to save documents in the cloud and share them with other people. Popular file sync and storage services include Dropbox, Google Docs, and Microsoft SkyDrive. Many of these services are intended for consumers or small businesses, but many enterprise workers use them as well.
It is interesting to note that the survey underscores a greater fear from internal rogue users than from outside attackers. Which makes sense, because it is well known that the potential for disaster caused by knowledgeable employees on the inside is much greater than that caused by snoops on the outside.
What I find so puzzling is that so many people are willing to put their careers at risk for the sake of sharing documents with colleagues. Why is that? I believe there are four reasons:
- The perceived risk of data being compromised is low.
- The perceived risk of getting caught is low.
- The punishment for getting caught is not significant.
- The need to share information is so great the workers feel they have no choice.
Let’s examine each of these reasons in turn:
- Perceived risks of comprising data and getting caught are low. All you need to sign up to a file sync and storage cloud service is basically a credit card. And who would even know if a worker shared a document using these services? Moreover, even if a document was compromised using these services, who would know about it and where it came from? For example, if a competitor got ahold of a document detailing future product plans, who would know about it (until it was too late) or where it came from? There is no audit trail because the breach occurred outside company’s control. But are the risks really that low? The rogue IT survey found that 38% of those who shared documents via unsanctioned cloud services reported at least one document had reached an unintended recipient. It’s probably no wonder; another recent report shows that at least one popular document sharing site, Dropbox, can be hacked and is vulnerable to cyber snoops looking for sensitive material.
- Punishment for getting caught is not significant. Since most companies don’t provide a secure document-sharing alternative for mobile users, they simply turn a blind eye to offenders. It’s literally the Wild West days of enterprise mobile computing; until secure solutions proliferate and policies are enforced, things are going to continue to be messy.
- The need to share information is great. To paraphrase Napoleon, "An organization travels on its documents." Project plans, contracts, product specifications, billing records, and many other electronic documents are the lifeblood of today’s business. So not being able to share important documents is a significant business impediment. With the majority of workers using personal tablets and smartphones for work, it’s no surprise that people are cutting corners to get their work done.
The survey found that the cost for compromised documents via mobile devices is far greater than most of us would believe. Some 27% of the respondents said that a document that had reached an unintended recipient had a palpable negative impact on their employer; the top three repercussions being losing (or nearly losing) business, lawsuits resulting in financial damages, and unintentionally sharing sensitive information with a competitor. Over half of these respondents (51%), said that the cost of the breach exceeded $10,000, with 20% reporting damages exceeding $50,000.
The new survey underscores the unintended consequences of not playing by the corporate mobile device-usage rules. And being aware of the dangers is step one in fixing the problem. So until businesses get serious about providing employees with not only mobile devices, but also the applications and services needed to use those devices for work, take precautions . . . and follow the rules. Work with IT to find and develop enterprise-grade alternatives to nonsecure consumer services. In the near future, organizations will have to provide approved mobile-file sync and share capabilities, because it’s so critical to their success. Until then, as always, when purchasing public cloud services, caveat emptor.
You can read the full report here.
Disclaimer: The survey was commissioned by enterprise mobile app company harmon.ie, where the author is employed as a product strategy executive.
Author David Lavenda is a product strategy executive at an innovative user-experience high-tech company. He also does academic research on information overload in organizations and he is an international scholar for the Society for the History of Technology. He tweets from @dlavenda.
[Image: Flickr user Cristiano Betta]