As more employees expect companies to provide access to the mobile computing and social networking tools they rely on in their personal lives, many business owners realize they must provide some access not only to keep staff content but to stay competitive.
At the same time, granting employees freedom can open the door to data security breaches caused by spyware and malware, as well as lost or stolen notebook computers, smartphones and USB memory sticks.
Ever heard of a $49,246 notebook computer? Well, that’s the average value of a lost notebook based on replacement, detection, forensics, data breach, lost intellectual property and lost productivity costs, topped off by legal, consulting and regulatory expenses, according to a study from the Ponemon Institute. Another way of quantifying risk is to consider the average cost of a data breach, which amounts to roughly $202 per customer record.
“Small and medium-sized businesses may not make the data breach headlines, but that doesn’t mean they are immune to the problem,” says Mike Spinney, senior privacy analyst for the Ponemon Institute.
Such risks require companies to strike a balance between worker freedom and security. Businesses must give employees the IT tools they need to do their jobs, but temper that with security awareness and appropriate-use policies and guidelines. Recognizing that human error poses one of the greatest vulnerabilities, companies also must rely on technology to mitigate risk.
“Companies need to take the time to understand the implications of new mobile computing options and develop sensible user policies and risk awareness programs,” says Spinney. “Making sure that information is encrypted and that everyone who uses a notebook is aware of the cost impact if that information is compromised can make a big difference.”
Lathem, an Atlanta manufacturer of time and attendance technologies, encourages work/life balance by letting many of its employees work from home on Fridays (see "Productivity Propellant"). Workers use their own PCs, but Network Administrator Chris Croxton requires that teleworkers run antivirus software on their personal machines, and that they access company servers and store data there rather than locally.
Lathem deployed a web- and spam-filtering device to guard against spyware and malware and to block some types of content. “As a general rule, we frown on social networking,” says Croxton, noting that use of tools for non-business purposes impedes productivity. There are exceptions: Marketing has a Facebook page and uses Twitter, for instance.
As Croxton sees it, occasionally being viewed as Big Brother comes with the territory. “It’s my duty to enforce the policies that we’ve put into place,” he says, noting that those policies were created because he and other company leaders believed them to be the best way to protect the company.
Like Lathem, other companies are deploying security technologies and computing models to safeguard assets. Token or biometric authentication, network access control, full-disk encryption, data loss prevention, remote wiping of missing BlackBerrys and deploying thin clients or desktop virtualization all offer ways to guard against data leakage.
In all, the best approach to satisfying security concerns is to promote employee education and encourage responsible use, but be prepared to correct mistakes.
“There’s always going to be an instance where somebody inadvertently downloads a virus or something else that’s going to cause harm,” Croxton says. “As long as there’s a level of trust with the employee that we don’t feel it’s their intent to cause any harm, that’s the biggest thing.”