Consumerisation complicates IT governance
Unrestricted use of consumer devices and public file-sharing services complicates IT governance and investigations, says forensic expert
The growing use of consumer devices and services in the workplace complicates both IT governance and investigations, according to an IT forensics expert.
Simon Placks, head of the IT forensics team at Ernst & Young, said that the storage of business data on staff-owned devices can make his job harder when he needs to investigate an incident.
Placks said he could be called into a firm in the aftermath of a cyber attack, in order to find out what data has been breached, how the attack happened and who perpetrated it.
Or it could be the result of a loss of intellectual property, whether by a malicious insider or remote attacker.
"We can forensically image all company-owned machines, but what if staff are using their own devices to work?" said Placks, speaking exclusively to Computing.
"Your IT landscape becomes quite heterogenous, and there can be legal complications around access to employee-owned devices."
He explained that the key lies in anticipating these issues before there is an incident requiring investigation.
"In certain jurisdictions you can put an agreement into place with your employees allowing you to look at the devices they use for work.
"So these agreements and acceptable use policies for employer-provided machines can help, but you must understand the jurisdiction and regulations of the country in which you operate, as they differ internationally."
Placks said that consumer devices, and the use of free consumer file-sharing and storage services in the cloud, make his job harder. The problem is one of IT governance, because of these technologies, firms often have no idea where their data is stored.
This echoes the findings of a recent survey that found that 77 per cent of UK companies have no policy regarding the use of public file-sharing services.
According to Placks, the key stage in the process of discovering where a firm's data actually is, is to talk to IT managers and users.
"It's a top-down process. First you talk to IT managers to find out where data is supposed to be kept, and how it's supposed to be used.
"Then you talk to the users to find out where it actually is, and how they really use those systems."