Monthly Archives: February 2015

Protect company data by securing the personal cloud – a cautionary tale

Screen Shot 2015-02-08 at 8.53.17 PMI was part of the leadership team at a small technology company based in Europe and North America. As with many multi-national companies, there was friction around the strategic direction of the company and what verticals provided the greatest revenue opportunities. Unfortunately, the friction was never resolved and festered into a deep level of distrust between the US and European based business units. At times it got down right ugly.

The CEO convinced the Board to focus our technology in the financial services vertical where we had the strongest foothold and generated enough revenue to break even. Other members of the leadership team had very different points of view on where the product should evolve and several stealth projects started popping up. Yes, it is wise to focus on innovation and to make longer-term bets on where and how the market or technology may evolve. However, this can’t happen at the expense of making customers happy.

As a result, several “skunk works” projects were started, engineers ran amok and no one was in control of the code. Our CTO mentioned to me in passing that one project was being coded on a unsecured personal laptop…and the director of the team was not aware of it. When I heard that, I busted out the Rolaids. Oh boy. Clearly these “skunk” projects were stinking up our offices and needed to be reined in for corporate data and proprietary code was at risk.

An eagerly anticipated employee was hired and brought under management by the product organization. This employee was cherry picked from a competitor and had great knowledge of our type of technology and how to apply it to the financial technology vertical. He quickly got started creating innovative products and the team was excited to reap the benefits of a growing revenue side. Sounds great, right?! The company will own innovative products and the code to meet the lucrative financial technology vertical! WRONG!

Screen Shot 2015-02-08 at 8.42.21 PMThe leadership team learned that our innovative product dynamo was developing code on a work laptop, but was backing up to a personal cloud service. Our IT team had no policy in place to prevent or address this. Yikes. The company lost control of a proprietary asset. This employee was quickly reprimanded and asked to back up to a secured back up solution. Unfortunately, the relationship quickly soured and the decision was made to fire the employee. The employee was escorted out of the building, but a copy of the code was backed up to the personal cloud only hours before the termination. Clearly the employee saw this coming. Shit…the code was gone. The investment in the employee’s talents was wasted and company assets were outside of the company’s control.

Obviously once this incident happened, there was A LOT of finger pointing for why the right data policies and technologies were not in place to secure the personal cloud. This unfortunate tale is not uncommon and points to the many challenges company leaders, especially CIOs, face in a fast paced and innovative world. These many challenges are made even more complex with the adoption of cloud solutions and mobile devices in the business environment.

This personal yarn I’ve spun points to the importance of having CIOs and other IT leaders think through how to protect company asset. The first exercise is to implement a mobile enabled network access control (NAC) solution and policy. This technology will enable IT managers to define who and what devices have access to the corporate network. Speaking from my experience, a NAC solution and policy would have prevented employee personal laptops from accessing the secured network. IT would have easily identified the laptop’s posture and directed the employee to access a public Wi-Fi network. Given the wide adoption of mobile devices, it’s important to consider a NAC solution that is also mobile aware. Imagine the competitive implications if our code dynamo was able to access proprietary code through a powerful tablet he brought in the day we terminated his employment? By not controlling this device access, a company is leaving a back door open for data to escape.

A second exercise is to consider implementing a mobile security solution to secure the personal cloud. This is of paramount (I LOVE that word!) importance given how many productivity solutions are moving to the cloud. From my experience working for a multi-national company, cloud technology is very important to enable cross time-zone collaboration. However, it is mission critical that access to this cloud is controlled and managed. Cloud collaboration should only be occurring in secured environments where employees have the approved device posture and access credentials. If the right cloud solution is not in place, the company risks experiencing the code floating out the door accidentally or through deliberate nefarious employee activity.

Heed my words, young IT Jedi, or risk having your “Death Star” plans slip right through your fingers.*

*Star Wars fans, yes, I understand I’m mashing together a lot of Star Wars quotes with this sentence.


%d bloggers like this: