Internal auditors may have read in recent months about another worrisome security risk, the so-called "consumerization of IT." This buzz phrase refers to the increasingly common business practice of allowing employees to choose their own personal laptops, tablets, smart phones, and other computing devices and programs for accessing email and other proprietary data. Some of these activities have occurred for many years but within a limited and controlled scope, such as accessing email through a Web portal or accessing work through a Citrix client. Naturally, each of these has its own risks, including downloading data to the employee's home computer.
The primary difference today is that the use of personal devices in the past was directed by IT, but now with the newer technologies that have become popular, employees are becoming the driving force. IT, in some respects, has fallen behind and is playing catch-up to provide processes to control these devices and minimize risks.
Why IT's a Concern
The consumerization of IT increases an organization's IT risk. In response, chief audit executives will need to invest resources into training their IT auditors and direct their focus to the IT department's implementation of control procedures to mitigate the security and organizational risks these new technologies pose. Also, internal audit needs to update its audit plans to ensure sufficient attention is directed toward the new technologies. This change in focus may require IT staff mitigation to include more IT resources to accommodate the increased use of these technologies.
Risks and Mitigation Strategies
The consumerization of IT poses both organizational and security risks. From an organizational perspective, uncontrolled proliferation of these devices can occur. The IT department needs to ensure usage of personal devices is controlled through policies, procedures, and central management systems. For the IT department to control these new devices, it will need to acquire and become acquainted with these newer technologies.
Increased security risks can occur through unencrypted transmission and storage of corporate data on employees' personal devices. The organization can protect itself by placing requirements on their usage. Examples include requiring communication with corporate systems through the use of a virtual private network or similar connection, mandating disk encryption of laptop computers or the use of an encryption app for iPhones and iPads, requiring authorization to the corporate network prior to access to any cloud facility, and implementing centralized security management for these devices.
Assigning audit resources to monitor the IT department's activities in a consulting capacity will assist in risk mitigation. Follow-up audits of the IT department's efforts also will ensure senior management is aware of the risks and whether the IT department is ensuring appropriate risk mitigation strategies are in place and working effectively.
Questions to Ask
Responses to the following questions will provide the internal audit activity basic background information about their organization's consumerization activities, including their effects on the organization and the manner in which the IT department is coping with this paradigm shift. These questions also could be used as initial planning questions for an audit.
- Is the organization allowing employees to substitute their own personal devices for work devices?
- Are employees' deciding for themselves to use personal devices for work? If so, how is the IT department coping with this or stopping its use?
- How is the organization's IT department ensuring security risks are minimized?
- Does the IT department fully understand the technologies it has acquired to control personal devices? Has it fully implemented all potential controls?
- Are policies and procedures in place covering the use of the new technologies?
- Is senior management aware of the increased risks these new technologies pose?
- Has the internal audit activity focused resources on the IT department's risk mitigation strategies for consumerization activities?