Companies large and small are seeing their proprietary information compromised by employees' personal devices, and they're taking action
American Airlines employees sporting iPhones may be disappointed when they bring the slick new gadgets to work. The airline recently updated its list of mobile devices allowed to synch with the company's IT systems, and the Apple (AAPL) device didn't make the cut. "We'll only let certain things connect to our network," says American Airlines (AMR) Chief Information Officer Monte Ford. His main concern is ensuring outside electronics don't undermine the company's data security.
That preoccupation is widespread among Ford's peers. IT departments at companies as varied as Qwest Communications International (Q), Bank of America (BAC), and BusinessWeek parent The McGraw-Hill Companies (MHP) aren't supporting the iPhone. And worries over consumer tech span a raft of technology—from iPods to USB drives, to Google (GOOG) Gmail, even to gaming consoles such as Nintendo's Wii—wending their way into the workplace.
While many consumer gadgets and software applications can benefit a company—for instance, by helping employees get their jobs done more efficiently—the security implications are legion, says Ken Silva, chief security officer at VeriSign (VRSN), which specializes in network security software. "When we bolt those things onto corporate networks, we open up holes in the environment."
Ban the Interlopers?
Drugmaker Pfizer (PFE) found this out the hard way. An employee's spouse loaded file-sharing software onto her Pfizer laptop at home, creating a security hole that appears to have compromised the names and Social Security numbers of 17,000 current and former Pfizer employees, according to a letter Pfizer sent to state attorneys general on May 30. Pfizer's investigation showed that 15,700 of those employees actually had their data accessed and copied.
So why not curb the encroachment by banning outside software and hardware altogether? The fact is, much technology aimed at consumers is more innovative and cheaper than products made for companies and just makes good business sense, says Douglas Neal, a research fellow at Computer Sciences' (CSC) Leading Edge Forum Executive Program. Some workers have a difficult time understanding why they've got a 100-megabyte limit on their corporate e-mail account when they can get 2.5 gigabytes with Gmail, says Steve Prentice, chief of research at Gartner (IT).
"With few exceptions, people don't do it because they want to be awkward or break security or be a pain in the backside," he says of the tendency to use consumer tech at work. "They do it because of frustration, or a problem or limitation with the IT services provided by the organization."
Airline Goes with Google
In a recent study conducted by the Financial Times newspaper and researchers at the Leading Edge Forum, which brings together researchers and executives to explore IT-related subjects, two-thirds of surveyed U.S. and British FT subscribers said they had equipment at home that was as good as or better than the equipment they had at work.
KLM (AKH) knows those shortcomings all too well. When the airline wanted to put a search function on its corporate intranet, it spent much time and money testing a costly conventional corporate tool that simply didn't work well. The answer finally came in the form of the Google Mini search appliance that cost all of €2,995 ($4,128).
KLM is one of several companies that have formed the Consumerization Working Group to find ways to use consumer technologies more securely in the workplace. Other participants include DuPont (DD), Dow (DOW), Eli Lilly (LLY), and BP (BP). "There is a huge set of opportunities here," says Neal, who also heads the Consumerization Working Group.
Much More Comfortable
Those opportunities are created by an increasingly tech-savvy workforce whose personal and professional lives are more intertwined than ever. "Sunday morning and Tuesday afternoon are becoming completely the same," says KLM Chief Information Officer Boet Kreiken. At the same time, employees throughout organizations are becoming much more comfortable with a range of technologies.
In years past, employees might have had only a PC at home, notes Prentice at Gartner. Today they may juggle a network linking several PCs, printers, and backup devices connected to a high-speed Internet connection—in addition to a set-top box, gaming console, high-definition TV, and all manner of other Web-based services such as YouTube and News Corp.'s (NWS) MySpace.
Research by Gartner shows that employees' personal devices have already made inroads into corporate networks. The trend shows no sign of abating. As of September, 2005, 29% of employees and 24% of contractors were using noncompany-owned equipment on company networks, according to a Gartner survey of 404 IT managers in the U.S. and four European countries. Those managers expected use of noncompany-owned hardware to grow to 42% of employees and 32% of contractors by 2008.
Creative Risk Avoidance
Rather than fight the trend, some companies are experimenting with giving employees more choice regarding the technology they use—so long as they accept more responsibility for it. In 2005, BP began a pilot project that gives employees about $1,000 to spend on productivity-enhancing tools in addition to standard-issue equipment, according to an April report by the Leading Edge Forum's Neal. But before they can participate, employees need to pass the International Computer Driver License test, designed to test a person's computer literacy skills. BP declined to comment on the program.
The company takes other steps to give employees free rein while mitigating risk. BP cordons off its network by letting employees link to the Internet via consumer connections, from outside the firewall, in the case of its 18,000 laptops. At the same time it beefs up security on those machines. This lets employees safely experiment with software such as Amazon's on-demand computing and storage services.
Moving employees outside the firewall is an example of de-perimeterization, a growing movement to change the way corporations address technology security. In a business world where many employees are off-site, or on the road, or where businesses increasingly must collaborate with partners and customers, some say it's not practical to rely on a hardened perimeter of firewalls. Instead, proponents of de-perimeterization say companies should focus on beefing up security in end-user devices and an organization's critical information assets.
Freedom Breeds Inspiration
So a group of companies got together to figure out how to redesign corporate security to accommodate more fluid boundaries and officially formed the Jericho Forum in 2004. Members include Procter & Gamble (PG), Boeing (BA), and Dresdner Kleinwort.
The hope among many companies is that a little bit of technological freedom will inspire employees to innovate and find new ways of becoming more productive. Already, employees are experimenting with new Web technologies such as wikis, without the explicit permission of the IT department. In 2005, for instance, Intel engineer Josh Bancroft started a wiki because he thought it would be a good idea to have a central place to share information. That wiki, called Intelpedia, has caught on throughout the company and now has more than 5,000 pages of content (see BusinessWeek.com, 3/12/07, "No Rest for the Wiki").
And even though Monte Ford at American Airlines isn't letting the iPhone into his network, he still wants to foster an environment where innovation can occur without compromising security. His employees came up with the idea of putting the company's instant-messaging system on customized laptops for employees who have to complete a checklist at each plane before each takeoff.
Previously, the mechanics had to go back and forth between the plane and a computer room to look up information about systems and parts or to communicate with pilots. Now all that can be done at the plane. "You have to be willing to reward those things that bubble up from the bottom and expect people to come up with ideas," Ford says. "We're much better off as a company if very few things come from the top, other than direction."