How much risk is there associated with taking consumer products into our enterprise networks? Should we just say no? I think that to do so would not be a good strategic approach because many such products such as MSN Messenger and Skype, for instance, are often “good enough” for what we want to be doing and how we want to be using them.
I’ve been in many heated discussions about Skype. Where some individuals within the organisation see a need, others simply see unnecessary risk. I can see both sides of the arguement and personally, I think the business needs win over because we can manage the risk. However, to quote the fact that Skype is free to use as an over-riding reason is misleading. Skype is not free however you want to look at it. First thing is that you generally need to pay for an Internet connection before you can use the software. Then, if you’re using it on company equipment within a large enterprise, it needs to be supported.
The most sensible thing to do is create some process whereby consumer products can be properly evaluated for use within the organisation. This process should look at risk as well as TCO. It’s important because if we don’t take into account the needs and the wants of our user population then they are likely to start conspiring against us. Conversely we also need to maintain control of our networks and limit the vectors where data can be inadvertently or maliciously leaked. Strong mandates are becoming more essential than ever .
Some of the consumer focused solutions infiltrating our networks include the various VOIP services sich as the aforementioned Skype, web-mail, desktop search tools, instant messaging, storage devices such as MP3 players. We then have blogs and social networking sites to also contend with.
Some of the risks include there being a lack of management capability, business unfriendly EULAs, introduction of malware, data theft, network compromises. Some consumer software such as GoToMyPC opens up corporate networks across the Internet. Software such as Google Desktop Search enables searching across multiple computers and the search index is stored on Google servers for up to 30 days. There is a whole new myraid of risk to consider and the point I keep on making is that our dusty old data policies and clunky old processes are not going to help us manage it.
What we need is new, agile, risk assessment processes and new policies that take into account our changing environments. Above all we need to maintain control and ownership of our networks.