So, recently we were doing some work on a client’s site—small site, 20 users—and we were installing a new server with SBS. And yes, we had specific reasons for going down the server-on-site path. All relatively easy, although it can be a little time-consuming, especially when transferring data from an antiquated system.
One of the things that came to light was that all of the users had some type of cloud storage account (Dropbox, Cubby, Evernote) attached to their user profile, and each one had business information stored in those folders. When we were discussing the completion of the project in the wash-up, one of my technical support people bought this up in the conversation.
A relatively innocuous observation, but management did not know about the situation. Furthermore, they did not understand the inherent problems associated with all of these accounts. Most businesses do not realise they have a problem; others do not believe the evidence that is presented to them. These were the problems we pointed out:
Privacy. Every business needs it. Privacy is one of those systems that allow a business to flourish, but it also means that you have to invest substantial time and resources in maintaining that protection. You internal privacy protection allows you to attract and maintain your client base. If they know that you do not value their privacy the same way they do, you will lose those clients.
Intellectual Property. IP is the lifeblood of your business. In simple terms, it is your business. It is how you do business, who you talk to, your pricing structure and all of your operational systems. It is how your business makes money. Why would you let this critical information outside your security envelope without proper checks and balances in place?
Lack of business control. By allowing your staff and users to have access to your information outside your office, you take a risk. There needs to be a good reason for allowing such a thing. Convenience is great, but if you are in a competitive market, that business information is your edge; you need to make sure that the confidentiality of the information is maintained at all times.
Cyber security. It all comes down to the barrier that you impose around your data. That risk analysis that you did to originally manage your security access is crucial to your business viability. By allowing anyone to access your data from anywhere, you're compromising your original risk analysis, so a new risk analysis has to be completed.
What happens when they leave? If staff leave your business under amicable terms, it is relatively easy to manage off-site or out-of office information. What happens in a situation where you have to fire someone? You may restrict physical access to the building, as well as online access to your databases. But what about that information that they have uploaded to their drop box—the account you knew nothing about? That account may have all of your business-critical information, and the disgruntled employee can now take it to your competition. How much protection are you putting in that contract clause about working for another company?
Fortunately, there are ways to protect yourself from the BYOC problem.
The three P's are a great place to start. Policy, Procedure and Process will enable the business to control what people do, how they do it, and with what systems they are ALLOWED to do it with. By restricting access, such a policy reduces the security envelope and allows you to have more control over the IP within the business. In addition, constant monitoring and a regular risk assessment will also help you protect your IP.
Does your business have a problem with BYOC? If your answer is “I don't know,” you may have a burgeoning security threat that you're not even aware of. This is something that, as a small or medium business owner, you'd be wise to think about.