If you missed it, Big Blue recently banned its 400,000 employees from using Dropbox, Apple's Siri, and other well-known applications on the corporate network. Given that IBM's business is technology, the decision to restrict which technologies its people can use to do their jobs is an eyebrow-raiser. Should small and midsize businesses (SMBs) pursue a similar policy?
It depends on whom you ask. IBM obviously has a different set of needs and challenges--not to mention a different budget--than most SMBs. Still, IBM's revised approach does offer some reminders for any company that allows or even encourages employees to provision their own tools for activities such as backup or collaboration. Among IBM's reasons for the policy change: Security-related concerns. Intralinks CTO John Landy thinks the security risks of a bring-your-own-cloud (BYOC) approach are very real, no matter the size of the business.
"The risk of allowing BYOC is inherent in any organization that owns confidential or critical information, which I would assume is every corporation in existence," Landy said via an email interview. "Assuming that there is a risk associated with corporate documents, the best alternative is to follow IBM’s lead and find a solution that allows for compliance and governance, rather than allowing untethered access to Dropbox, Box, Google Drive, and other consumer-grade platforms."
Landy has a business interest at stake: IntraLinks, like Citrix's ShareFile and similar file-sharing and collaboration platforms, was built specifically with business users in mind, ignoring the consumer market. And when you're constantly asking employees to do more with less--standard operating procedure for many SMBs--restricting the tools they use to get things done can seem self-defeating. There's also that minor matter of enforcement. IBM has the wherewithal to practice what it preaches, but when IT and financial resources are already spread thin, trying to keep people from sending corporate files to their personal Gmail accounts might be an exercise in futility.
Or, as Analysys Mason principal analyst Steve Hilton put it via email: "As speakeasy owners during the U.S. Prohibition would likely tell you, it’s hard to prohibit something people really want."
Hilton ultimately thinks the Dropboxes and Google Drives of the world don't pose untenable problems for most SMBs: "I believe the underlying security of consumer-grade cloud solutions is fine for a SMB. It’s unlikely that some hacker is going to spend the time searching for top-secret SMB documents in Dropbox." Still, that doesn't mean he'd recommend them as business-critical applications. Like Landy of IntraLinks, Hilton sees clear risks in using consumer-oriented technologies for business. The first is a lack of control over the company's intellectual property (IP): "I don’t like the idea of allowing employees to put corporate IP in an account where I have no access to it," he said. The second is a lack of visibility: "I’d like to be able to see what employees are putting in cloud-based collaboration files whenever I wish."
Ask Techaisle CEO Anurag Agrawal whether smaller companies should follow IBM's lead, and you'll get a one-word answer: No. "It is like trying to say that SMBs should not use search because Google is tracking every request and storing it for future use," he said via email, adding that Techaisle itself uses Dropbox. (To boot, I'm working on this story in a Dropbox folder.) "Technologies like Dropbox are instrumental in supporting and driving new ways of working within SMBs."
It's not that Agrawal is cavalier about the potential risks of using public services such as YouTube, Skype, or Twitter in a corporate setting. Rather, he sees BYOC as an inevitable, positive shift involving risks that can be proactively managed with a mix of policy, education, and technology. Is there a downside in storing corporate data in a personal Dropbox account? Yep. But Agrawal thinks the upside of BYOC is greater for SMBs, most of which operate without even a small fraction of IBM's resources. "The widespread availability of cloud services has empowered individual workers to use services that would otherwise not be available or would take an enormous amount of time to be deployed," Agrawal said. "Next-generation cloud applications originally targeted for consumers are actually enabling SMB workers to collaborate in new ways that accelerate business productivity, growth, and innovation.
Analysys Mason's Hilton offers a bottom line: If you do restrict what tools and applications your employees use to do their jobs, you'd better provide an alternative. An SMB that followed IBM's lead and banned Dropbox, for instance, would be spitting into the wind without deploying another cloud collaboration platform; Hilton pointed to Microsoft's Sharepoint and Cisco's Hosted Collaboration Solution as examples of business-oriented alternatives.
"The best approach is the old carrot-and-stick," Hilton said. "Provide employees with a SMB-grade cloud collaboration solution and discourage the use of consumer-grade cloud."
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)