According to Robin Simpson, research director at Gartner, the boundary between personal and enterprise computing is becoming blurred and new rules are needed to deal with the issue. “The traditional response from the IT department was to say ‘no’, but that’s no longer an option,” said Simpson. “You can’t hold back the changes being driven by your user population by force, or they will simply conspire against you. But you can’t just relax control. You need to find a way to delineate between the business and personal computing worlds so they can work side-by-side and the boundary can be secured.”

“Just as company-owned cars ceased to be an integral element of the employee’s package, so company-owned computing devices, especially notebook computers and mobile phones, need no longer form part of the overall benefits package,” said Simpson.

“Our research confirms that companies around the world are increasingly considering employee-owned devices to be formal business tools. By taking security precautions and investing in foundational security technologies now, enterprises can prepare themselves for increasing use of consumer devices, services and networks with their organisation, and manage these risks.”

Gartner research found that 42 per cent of companies have policies or schemes in place allowing personally-owned PCs to connect to the corporate networks, In the US, the figure was 51 per cent.

Indeed, the trend has led many IT security experts to pronounce the traditional ‘security perimeter’ a thing of the past. “We put a lot of focus into understanding that we can’t think about our technology as having a hard perimeter or a hard core,” said Richard Johnson, head of architecture, research and cybercrime at Westpac.

“When you then factor in and think about your business; the complex business relationships you now have; the trusted or semi-trusted partners that you do business with; the level of connectivity that you may be opening yourself up to or have created bridging their network and yours; whether it’s done as a business-to-business extranet or whether it’s done by their people coming onto your premises with their equipment and then setting up and perhaps tunnelling back into their environment; then talking about third-party arrangements and contracted arrangements or contractors and consultants — it’s a very rich mix of people with access to your systems both physical and logical.

“So it changes the way we think about securing our data and our systems. It’s less now about thinking about the boundary and more about thinking about defence in depth and zones of defence, zones of security.”

Gartner’s Simpson said shifting accountability for security onto users is a potent weapon. “The key is to assume all access to your corporate network is potentially hostile,” said Simpson. “The only real solution is to increase core system and information security while relaxing user constraints and shifting responsibility to them. Although [the tools] may lack maturity and come at a high price, the tools do exist to manage the risks of non-company equipment in the enterprise.”

Stuart Fagg is the Editor of Risk Management magazine. See www. riskmanagementmagazine.com.au