Consumerization of IT: Top Risks and Opportunities

This report is an ENISA deliverable in the area of “Identifying & Responding to the Evolving Threat Environment”. It delivers the results of a risk and opportunity assessment in the area of “Consumerization of IT” (COIT), that is, the recent trend where user-owned consumer oriented hard- and software spreads in business environments (see also definition in section Terminology below). COIT is considered as a term embracing the recent trend known as Bring-Your-Own-Device (BYOD).

Further to the risk and opportunity assessment, this report presents the criteria and guidelines that were used for identification of COIT as an emerging area. The presented criteria and guidelines will be applied in the identification phase of future areas for the assessment of emerging risks and opportunities.

The work has been conducted with the support of an Expert Group (see Acknowledgements). The risks and opportunities assessed are:

Risks related to costs:

-          Increased risk of loss of value when employees bring the organisation’s brand into disrepute by uncontrolled use of consumerized services/devices

-          Increased variety and complexity of devices, systems and applications, all requiring management, will lead to increased costs

-          More use of mobile devices is likely to result in more lost devices and thus increased costs

-          Additional spending to ensure that security requirements do not act to either prevent appropriate consumerization or to encourage inappropriate use of consumer devices

Risks related to legal and regulatory issues:

-          Corporate governance and compliance control over employee-owned devices will be weaker

-          Interoperation, usage models and change of security context between applications and systems will make enforcement of legal and regulatory compliance controls more difficult

-          Lack of clear distinction between corporate and personal data on employee-owned devices will make e-discovery more difficult and may lead to litigation with employees

Risks related to data confidentiality/integrity/availability:

-          Potential loss of corporate data as a result of unauthorized sharing of information on employee’s devices and sharing of devices

-          Potential loss of corporate data as a result of access by unknown users and unmanaged devices to enterprise networks

-          Potential loss of corporate data as a result of difficulty of controlling security in application-rich mobile devices, especially if employee-owned

-          Increased risk of mobile devices being the target of attack for the acquisition of corporate data


-          Potential financial opportunities

-          Potential Human Resources benefits

-          Potential Data Management opportunities

-          Potential operational opportunities


0 yorum: