As employees increasingly take a 'mobile-first' approach to their use of computing technology this creates new challenges for organizations; and especially for business continuity managers. Jaspreet Singh explains why...
Working in technology, you would think that we would become inured to change. However, the computing industry as a whole only seems to be evolving faster than ever. This change opens up new avenues for individuals and companies to work in new ways, driving up productivity, and yet, this can also lead to more problems. The laws of unintended consequences can affect how enterprises run their operations in the future, as well as how business continuity teams plan ahead to keep their companies’ operations secured against risk.
Companies are taking new approaches to how their staff work and achieve their objectives. In the UK today, around 48 percent of employees can be classed as ‘mobile workers’ that travel for more than 20 percent of their working week, according to Strategy Analytics. This trend will only increase; in the US, more than 105 million employees will be classed as mobile workers by 2020, according to research by IDC.
The growth of mobile working means that employees outside the office are creating more and more company data. As these workers are becoming ‘mobile-first’ in their use of computing technology, i.e. using their tablets and phones as well as their laptops rather than the traditional PCs that live on desks and remain stationary), business continuity strategies will have to evolve as well.
Alongside this shift in how employees are working, companies are changing how services are delivered too. Cloud-based applications are becoming common within enterprises of all sizes. Microsoft’s Office 365 is now used by around a quarter of all US public sector bodies, with Google Apps not far behind. With just under half of all these organizations using cloud-based office productivity suites for their email, this is nothing short of a fundamental shift in how central IT services are provisioned.
Business is being conducted in different ways too. In the past, the options for communication were more limited, with face-to-face meetings, fax, phone calls and email being used. Today, there are more options available: a conversation with a customer might begin on social media and continue via phone conversations or chat applications. While the role of email is not going to diminish as a ‘system of record’ for communication, the range of options open to people across the business is ever-increasing.
What do all of these trends mean for business continuity teams? Well, the need for disaster recovery and backup of data has not decreased, but it is different. These changes mean that traditional data protection methods might not capture all of the data that people create as part of their working lives. Relying on protection of central applications is therefore not going to be enough.
The impact on compliance: why there is more need for collaboration
All of these changes are taking place at the same time. Some programmes will be officially sanctioned by the business: for example, mobile working can be part of a wider strategy that aims to provide people with the support and tools they need to work wherever and whenever suits them. However, many of these changes may be slipping in under the radar. Individuals may be working using their own devices, or line of business teams may be implementing their own cloud apps and tools without consulting with IT.
As the use of technology becomes ever more crucial to businesses, protecting the data that people create during their work is a necessary investment for all organizations. Many traditional approaches to protecting data rely on all that new information being created and stored centrally. When individuals can create new files that make use of personally identifiable information and save that data either locally on a tablet or in a cloud service without ever touching a corporate IT device, this opens up the potential for data loss and risk.
This also affects company planning for compliance purposes too, as data can exist on end-user devices without approval from IT. In the past, it was always possible for a company laptop to be lost with sensitive data contained on its hard drive; today, the nightmare scenario is that IT will not know about that sensitive data being created at all. The proliferation of data onto more devices, accessible from more places through applications or services that are not directly owned and managed by IT is all too easy to imagine.
While this growth of data can put compliance efforts at risk, this can also be an effective spur to action as well. For example, the European Union has put together a new draft regulation in place around the safety and security of personal data. The General Data Protection Regulation (GDPR) includes a notice that any infringement of personal data through loss or theft can potential result in damages equating to four percent of an organization’s annual revenues. This represents a huge incentive to invest in better data protection strategies ahead of the regulation coming into effect in 2018.
For companies in the EU, GDPR can help both compliance and business continuity planning efforts to be taken more seriously without requiring a major incident. By taking a more proactive approach to compliance and disaster recovery, it’s possible to stop some of the issues that would otherwise affect data protection initiatives.
Putting proactive continuity and compliance in place
All continuity efforts are geared towards ensuring that business operations can get back to normal as fast as possible after an incident. This could be a minor issue that can be fixed through the fast recovery of IT systems; alternatively, a major disaster may require the full-scale implementation of operations at a secondary site while the primary incident is dealt with. Either way, DR planning involves having up to date versions of critical data, processes and operations in place that staff can then use.
This is a big contrast with compliance activities. In the event of an audit, the typical approach that IT teams will have to undertake is to search through available email records and files around a specific topic. This represents a big potential time investment. However, just like any disaster, these audit events can’t be predicted in advance, so many companies choose not to invest here if they can avoid it.
The problem is that more data is being created on mobile devices without touching central IT systems. If an audit event does come up, then the IT team can find themselves unable to build up the full picture of what really took place. What if the critical communications took place over a channel that did not have its data adequately backed up, or the user forgot to save their data centrally rather than on their own device? Is the data stored on a cloud service rather than on a central IT system?
To prevent this from becoming an issue, it’s possible to take a more proactive approach to data protection. Rather than existing traditional approaches to capturing data that rely on centralisation of data, it’s worth looking at how data created on mobile devices can be added to the business continuity planning process instead.
As documents are created, they can be scanned automatically to check for personally identifiable information that needs to meet compliance rules around security. If and when one of these files is created, the necessary rules on security and retention can then be applied. This approach is more practical than relying on human intervention; indeed, it should be based on taking the same ‘ease of use’ priority that mobile app developers have to bear in mind.
At the same time, use of cloud services need not be another hurdle to successful disaster recovery planning and enforcement of compliance. New cloud DR services exist that can replace traditional DR services that are not fit for purpose; alternatively, existing business continuity plans can be supplemented through on-premises or hybrid cloud deployments. Over time, these separate tools can be consolidated to save on costs too.
As companies seek to remain competitive in today’s business landscape, the use of cloud services and mobile devices is increasing in size and scope. Individuals want more flexibility in how they work, while IT teams are looking to keep data protection plans in place that track against these new work patterns. As more and more employees become mobile workers, business continuity planning and DR strategies will have to move into this ‘mobile first’ world as well.