Trend Micro: Corporate Data on Consumer Applications – Striking a Balance
Written by Paul Oliveria from Trend Micro
Much of the current discussions surrounding the growing—and inevitable—trend of consumerisation are focused on the impact of bring-your-own device (BYOD) and managing the growing diversity of mobile devices. However, another aspect that IT administrators and even business owners should not forget to consider are the other consumer-oriented technologies and services employees may have access to in the workplace.
Like BYOD, the benefits that come along with consumer technologies like instant messaging applications, social networking sites also bring about certain risks to corporate data. For one, these “consumerised” applications have had their fair share of threats that exploited their capabilities for cybercriminals’ and other threat actors’ gain.
What Goes In, What Goes Out
Recently, a backdoor was discovered to be attempting to compromise thousands of WordPress blogs through a brute-force attack. This poses a risk to organisations that may be using this blogging platform for corporate communications.
Last week’s discovery of the Citadel botnet’s resurgence in Japan can be another example. According to our researchers, the recent campaign was found to be targeting customers of banking and financial institutions that are only native in Japan, specifically those with webmail accounts. This “localised” tactic is notable in itself. If put in the context of, say, a Japanese employee accessing his or her GMail account in the office and accidentally setting off a data-stealing malware in the corporate network, then the repercussions can increase exponentially.
But beyond malware, web threats, and other attacks that will attempt to go inside the organisations’ perimeters and get access to information, the risks these consumer applications can bring may also come in the data they can bring out. As predicted, we have seen cybercriminals abuse legitimate services to carry out their attacks. The VERNOT malware is an example of such an attack: it abuses a popular (and consumer-friendly) cloud storage service to send whatever data it gathers from an infected machine.
In addition, some businesses may have strong perimeter defense, but may not have the adequate technologies or capabilities to monitor data packets passing through “normal” Web traffic these applications use. Thus, system IT administrators may be blind to employees who are (un)wittingly disclosing information about the company through their personal emails or instant messaging conversations.
Balancing Freedom and Control
Organisations need to find a balance between providing enough freedom for their employees and maintaining visibility and control to their data, wherever and however they are accessed. Having a solid plan to embrace consumerisation in all its technological aspects—device, software, platform, etc.—is the first step to do so. More importantly, clear and well-thought-out policies (which should include strong employee awareness programs), as well as the proper technologies and solutions to identify and protect the most critical corporate data, should also be put in place.