Unisys PoV on how to address new challenges and risks for enterprise IT and security posed by the consumerization trend. The paper, which you can download below, is titled, “Consumer Technology in the Workplace: Managing Security Risks and Maximizing Employee Productivity.”

1. Consumer Technology in the Workplace: Managing
Security Risks and Maximizing Employee Productivity
Point of View
As employees become more mobile and use more consumer To protect the organization from these new threats, an IT
technologies in the workplace, corporate systems and department needs to create an extended security model that
information are increasingly at risk from security breaches. better secures the most exposed and weakest layers in the
All organizations know that they should strengthen IT security, environment—the endpoints and the network infrastructure—
but smart IT departments approach the task in a way that and that includes employee education and policies that direct
improves, rather than stifles, employee productivity. user behavior. However, this needs to be done in a way that
still gives employees access to tools and capabilities they
Traditional security models in which corporate information need to do their jobs more efficiently and effectively.
is protected by secure network perimeters only around an
organization’s office environment are becoming obsolete.
Enhancing Endpoint Security
This is due to more mobile employees accessing corporate
For today’s employees, the nine-to-five workday is a thing
systems from outside the office and a proliferation in
of the past and the workplace can be just about anywhere.
the number of device types and online tools, including
Depending on where they are and what they are doing,
smartphones, netbooks, Web 2.0 applications and social
employees may choose to work on different devices, such as
networking sites, that increase the number of corporate
a laptop in the office, a smartphone while checking emails
network entry points. These trends will only gain momentum
on the weekend, and a netbook while traveling. While out of
as younger-generation ‘digital natives’ enter the workforce
the office they may be connecting to the network via a phone
and more organizations allow employees and contractors to
connection or even an unsecured wireless link, which renders
bring personally-owned devices into the workplace.
the traditional security perimeter around a single office
The productivity benefits gained from the increased employee environment obsolete. To support the anytime, anywhere
mobility, flexibility and job satisfaction that result from the workplace, organizations need a new security perimeter that
use of these new IT tools are considerable. However, as IT expands beyond four walls and flexes to cover all possible
departments come under pressure to effectively manage device types and connections an employee chooses to use
and protect employee behaviors enabled by new tools, threats at any given time.
to the corporate network are becoming more sophisticated,
When employees connect endpoints (such as PCs, netbooks,
targeted and insidious. Viruses, malware, spyware and
PDAs or smartphones) to the network at the office, they are
phishing attacks are increasingly tailored to exploit specific
protected by an enterprise-class security infrastructure that
security holes created by new device types and online tools.
includes firewalls, IPS, proxy servers and more. However,
Employee downtime and the time and resources required to
recover from such attacks have a real impact on employee when employees take devices out of the office, they become
and business productivity. an exploitable leak in the perimeter.

2. An employee using a device outside of the office can specifies which external devices (such as USB drives, MP3
unintentionally let his or her guard down, catch a silent virus, players, Bluetooth devices and DVDs) can be used on a PC
and then carry the virus inside the organizational perimeter and what data can and cannot be copied onto these devices,
upon return to the office. An infected endpoint can enable even when the user is not connected to the corporate network.
a person with malicious intent to gain ‘authorized’ access Windows 7 also includes technology that prevents applications
to a device or corporate network by collecting and re-using from being loaded onto a device unless they are on a defined
an authorized account and password, or take advantage list, and a function that acts as a ‘kill switch’ to remotely
of the user’s access when he or she is logged in. Viruses disable a device so that the data on it cannot be accessed.
and malware are not the only threats. An opportunity for These built-in solutions can be powerful tools for securing
unauthorised access to the corporate network or sensitive devices, but it is up to the IT department to enable them as
data can happen as simply as an unsecured laptop or USB an integrated part of a security solution.
device being misplaced or stolen. This is why a critical element
Enhanced endpoint security provides a strong layer of
of an extended security model is enhanced endpoint security
protection against threats and gives organizations more
that includes stronger technology solutions to protect against
confidence in allowing employees to be more mobile and
infection and unauthorized access.
use a wider range of devices and applications that enhance
Most organizations have endpoint security in place through productivity. However, some threats will still permeate the
the use of host-based firewalls, anti-virus and anti-malware endpoint layer so an extended security model must also
software, and identity management solutions. However, IT include greater protection for another vulnerable layer: the
departments are not going to be able prevent every breach, network infrastructure.
so the challenge is to find the infection faster and eliminate
it at the endpoint before damage occurs. Despite long-term Controlling Network Access
use, virus and malware controls on endpoints are not entirely The necessary reality these days is that an endpoint should
effective. This is because most existing controls are based be treated as a threat unless proven otherwise. Network
on blacklists that block access to known threats but are less Access Control (NAC) requires devices to prove they are
effective against unknown threats, which can sit hidden safe to connect to the network (pre-admission), as well as
within a device or the network for some time until activated. controls where the endpoints are authorized to go and what
Whitelist or behavioral-based threat protection solutions they are authorized to do. When an endpoint attempts to
deployed to endpoints help identify, quarantine and eliminate access a network, an established security policy is invoked
unknown risks more quickly, so they should be part of an to ensure the endpoint meets all the required criteria in
enhanced security model. the policy. For instance, the policy might require that the
To further protect against access threats, other important endpoint has an appropriate firewall and anti-virus protection
aspects of an enhanced security model are robust access installed before the endpoint will be allowed to communicate
management and identity authentication solutions on on the network. If the endpoint does not meet the entrance
devices through the use of stronger passwords, biometric criteria, NAC solutions can quarantine and remediate non-
scanners, smartcards, security fobs and similar. To provide compliant, infected or miss-configured systems.
an extra layer of protection for highly-sensitive data being NAC technology has evolved from a focus on front-end
downloaded to and stored on devices, organizations should network admission for endpoints to a focus on application-
also consider using encryption technology. level controls. NAC solutions allow network administrators
Not only are there more sophisticated solutions for endpoint to define policies for endpoints without the need to have full
security being brought to market every day by security vendors, (or any) control of those endpoints. NAC solutions provide
these solutions are increasingly being installed onto devices a layer of protection against improperly used, infected or
by OEMs and included in the latest versions of operating rogue endpoints attempting to connect to internal network
systems. For instance, some laptop models ship with built-in segments. This capability of NAC technology to enforce
fingerprint scanners and facial recognition technology. policies at network access time regardless of the endpoint
Microsoft® Windows® 7 includes several enhanced security type provides an organization with significant threat protection
technologies, including device control technology, which by preventing infected or compromised endpoints from
2

3. communicating with any other computer or application at the • The use of passwords, including how often a password
network level, thus preventing the compromise from spreading. should be changed and whether the same password
Therefore, NAC is a critical element of an enhanced security should be used to access personal resources, such as
model to address threats from increasing employee mobility internet banking, and the corporate network;
and the use of consumer technology in the workplace. • Data ownership and surrender/access, distinguishing
between applications and data of the organization and
Should a threat enter the network infrastructure past the
the employee;
NAC technology, it is necessary to quarantine and disable it
quickly. The creators of viruses and malware are becoming • Appropriate use of technology in the workplace, including
better at disguising them so they can slip through controls HR issues such as workplace bullying, harassment,
and remain undetected while spreading through IT systems. confidentiality breaches, etc.;
This is why it is important for IT departments to improve their • Appropriate behavior, confidentiality and disclosure on
security analytics engines, which are intelligent tools that social networking sites; and
look beyond known threats to identify behaviors and traffic • Consequences for breaching policies or program guidelines.
patterns on the network—such as malware that tries to When the IT department is supplying the devices and
communicate with systems or make new connections—and applications used by employees, it has more control
quarantine the threat. For this reason it is also important over security. However, it is becoming more common for
for organizations to increase protection for data at rest in organizations to allow employees or contractors to connect
storage devices as well as data in motion on the network. their personally-owned devices to corporate networks.
For highly-sensitive data, this may mean implementing Employee-owned equipment is a potential carrier of infections
encryption technology as well as improving NAC. across the security perimeter. The security software
and settings used on many personally-owned devices
Mitigating Risk Through Policies are generally not as robust or updated as often as their
As always, technology is only part of the solution when corporate equivalents. The risk exposure can be exacerbated
strengthening security and minimizing risk. The strongest if employees and contractors log onto the corporate network
security systems can be rendered useless by an employee using unsecured home connections or public wireless
who mislays a piece of paper listing his or her passwords. The networks. Given this situation, standards need to be set
challenge for senior managers is to drive security into the to ensure personally-owned devices adhere to corporate
culture of the organization by educating employees about their security policies. At a minimum, employees and contractors
behavior and potential threats and rigorously enforcing need to keep their anti-virus definitions up to date.
behavior-related policies. The most comprehensive and
effective means of doing this is to involve the IT, HR, legal, risk Organizations must also apply similarly robust policies to the
and senior management teams in setting and managing policy. use of social media and Web 2.0 applications. By basing
these on logic and reason rather than applying blanket bans,
The employee education program and policies should cover,
organizations can educate employees to use these tools
at a minimum:
safely and responsibly—and productively. Different policies
• Where and when devices can be used;
for different types of employees may be required based on
• How to secure devices used to access the their roles and need to access these sites and applications.
corporate network, including updating anti-virus
For instance, the access policies may be different for a
and anti-malware definitions;
marketing employee who is responsible for posting videos to
• Rules for copying sensitive data onto external media such
the corporation’s YouTube site and tracking brand mentions
as USB devices, DVDs and CDs;
online, versus a call center employee whose role does not
• The use of passwords, including how often a password
involve social media and whose KPIs are based on the number
should be changed and whether the same password
should be used to access personal resources, such as of inquiries handled per hour.
internet banking, and the corporate network; However, when employees access social media sites for any
• Data ownership and surrender/access, distinguishing reason using a device that connects to the corporate network,
between applications and data of the organization and they need to understand how their actions on those sites
the employee; impact the organization’s security and reputation and their
3

4. personal security. One of the fastest-selling credentials on performing for them; and how well the security model is
the black market today is Facebook logins. Cyber-criminals protecting the environment. Many IT departments are
use these to distribute embedded viruses through ‘friends’ familiar with infrastructure monitoring tools that provide
lists because many people will automatically open any link these functions. However, the challenge with most monitoring
from a friend without any thought to the security behind it. tools is that they track how a particular element is performing,
Implied trust through social networking is an exploitable but they do not always track the end-to-end user experience.
weakness. By warning employees about phishing scams and When determining if the IT environment is supporting
other malicious activity on websites and advising them of employee productivity, the monitoring needs to be from the
steps to avoid falling victim, and educating them about the user perspective. How well are the applications performing
risks around downloading files that potentially have a virus from the user perspective? In an organization with more mobile
or malware embedded, an organization reduces the risk to employees, how can the IT department monitor end-to-end
its staff and itself. These social media policies should also performance no matter where the user is located? How can
clearly articulate what corporate information can and cannot the IT department relate employee productivity impacts back
be posted, who is authorized to speak on behalf of the to a specific security incident, like a malware infection?
organization, and the consequences of a breach.
The second part requires additional effort to truly measure
the levels of employee productivity, the bottom-line value,
Balancing Security With Productivity and the benefits versus the cost. The most immediate place
For every organization, productivity may mean something to start is by surveying workers and managers regarding their
slightly different, such as employees’ ability give higher quality needs, if and how they use the IT tools they are given, and
service to customers or citizens, meet critical deadlines, the benefits they see from greater mobility and the use of
drive new innovations, or bring products or services to market consumer IT tools. Common methodologies, such as Six Sigma
faster. However, for every organization, productivity means Lean, can also help organizations understand how employee
employees using their time most efficiently and effectively, productivity impacts organizational productivity and the
which requires giving them the right tools, access and effectiveness of key processes and business outcomes
information they need, when and where they need them. By within the organization. From evaluating these two parts, the
tightening security controls too much and denying employees productivity benefits can be weighed against the increased
the right tools, access and data, productivity is stifled. security costs to enable employees to be more mobile and use
The key question presented to IT departments today is: how a greater selection of consumer technologies in the workplace.
can they measure the productivity benefits gained from mobility With the many different types of IT devices available, the
and consumer technology against the risks and costs of growing popularity of social networking sites and Web 2.0
an extended security model? The answer lies in two parts: applications, and younger-generation employees entering
firstly, actively and comprehensively monitoring the IT the workforce, it is inevitable that users will demand more
environment and secondly, better understanding users’ role flexibility and access to consumer technology, regardless of
requirements so it can be determined if the IT environment the IT department’s plans. By better understanding user
is truly supporting them to do their jobs effectively. needs and what productivity means for employees and the
The first part can be assisted by using infrastructure and organization, the IT department can create an extended
end user computing monitoring tools to determine how security model that not only better protects the organization,
workers are using their time and how productive they are; but also gives employees access to better tools to do their
how effectively the network, devices and applications are jobs more efficiently and effectively.
For more information visit www.unisys.com
© 2010 Unisys Corporation. All rights reserved. Specifications are subject to change without notice.
Unisys and the Unisys logo are registered trademarks of Unisys Corporation. All other brands and products
referenced herein are acknowledged to be trademarks or registered trademarks of their respective holders.
Printed in the United States of America 07/10 10-0199