(This is a point/counterpoint series of articles. Today’s post relates to FUIT the way I see it, and tomorrow we’ll see what Jack thinks. If sparks really fly, maybe we’ll have a podcast to hug it out.)
Years ago, when we ran ConsumerizeIT.com (remember that?!), we had an area of the site set aside for something we called FUIT. We pronounced it “foo-it”, but since FUIT really meant to call attention to the ways users took IT into their own hands, it was really more appropriate to pronounce the letters themselves, F-U, IT.
Without purposely piling on to the whole “President Trump uses and Galaxy S3” bandwagon (Ramin Edmond did a nice job covering it over on SearchMobileComputing.com), as ridiculous as that sounds, reading articles about it brought to mind FUIT and reminded me of how we haven’t really come as far as I’d hoped in that department. We may have called attention to FUIT, but the reality still exists where a user can basically do anything they want if they want to circumvent the established boundaries.
Such is the case here. Though it’s been said that “the president has no say” in what device he uses, the reality is that even the highest ranking official in our country can say, “FUIT”. On a much less public level, this is still happening all over your company.
Dropbox, for example, claims to be in use in eight million businesses around the world, of which only 200,000 are actually paying for Dropbox for Enterprise. That means roughly 7.8 million enterprise Dropbox users are saying “FUIT” and doing whatever they need/have/want to do. FUIT is still happening as much as ever!
This is where Dropbox anticipates a lot of their growth will come from, because converting those one-off personal Dropbox accounts to Dropbox for Enterprise users amounts to the lowest hanging fruit. The thing is, how do you convince users to do this? Dropbox can’t convert them on their own–the company has to identify that this is happening and decide to do something about it that is both acceptable to the company and to the end user. Take features away and the end user will go rogue again.
So how in the world should we address this? It’s easy to say that we need to add more management and education, but all that amounts to a hill of beans if nobody uses the management or our users don’t care why they shouldn’t do something when it just gets in the way of what they want or need to do.
One way would be to change the way we manage our end users’ devices. Currently we have a desktop management platform and an enterprise mobility management platform. Each are fairly capable, but both use different policies and workflows while requiring more or less duplicate, but different, levels effort and knowledge to run each platform. That means that whatever you do to lock down and secure one platform isn’t necessarily the same was what’s done on another.
UEM (Unified Endpoint Management) aims to help with that, but we’ve only just begun to see that world taking shape. We understand the path that a UEM platform needs to take to get us to the point where we can effectively manage both Windows and mobile endpoints from the same console, but, as we’ve detailed in the past, there is a long way to go before it’s viable for large enterprises (let alone government).
My point is that even though there is viable technology today, actually putting it to use in order to solve FUIT is not as easy as saying “Just do X, Y, and Z and you’ll be fine.”
Then there is User Activity Monitoring, or UAM. UAM could help you identify those rogue Dropbox users or other actions that violate corporate security policies while also educating users on why they shouldn’t be doing certain things (as well as the proper, sanctioned way to do them). It’s a valuable piece of the puzzle, but as I wrote when I covered ObserveIT’s UAM platform, UAM isn’t the kind of thing that every company is going to roll out right away.
Simply educating people isn’t enough because, to many people, all the warnings sound like gibberish. To IT folks, it all makes sense, but bring in your random end user that just wants to do their job (or worse, one that is inflexible and unwilling to change by, say, ditching their 2012-era, insecure phone when you have a job that requires the utmost security), “I didn’t fully grasp the implications” is a pretty pathetic excuse when the crap hits the fan.
We can’t just solve that problem with further education. My sixty-something mother-in-law that works as a nurse isn’t going to sit through a comprehensive training class and fully grasp the plight of IT security in any meaningful way, despite how wonderful she might be (yep…just in case she reads this). There are a lot of techno-phobe 30-, 40-, and 50-somethings still in the workforce.
Of course, we also can’t have goons walking around the cubicle farms looking for power line Ethernet runs to unsecure networks, inspecting phones to make sure they’re on the corporate WiFi instead of using the cellular network to access something that’s blocked from within the company network, or trying to find every last rogue Dropbox user. It’s as impractical for IT as it is uncomfortable for the end users, and the result will feel more like a police state than a comfy, secure approach to IT.
To be clear, I’m not suggesting penalizing people for breaking the rules. I do think, however, that using things like unified management and activity monitoring, combined with meetings with groups of employees that shows the data IT has collected could go a long way towards driving home the point that we know what you’re doing, and we need it to stop. Nobody is going to fess up to breaking the rules if they fear punishment, but perhaps something along the lines of “We know that you know that you shouldn’t be doing this, but we still see it being done,” would be enough if doled out on a regular basis (say, quarterly).
Many people are aware that it’s happening but have placed it in the “out of sight, out of mind,” or “what can we do about it?” categories. I’m included in that, because no matter how much management we have, there are always going to be ways around corporate policies unless you’re in an incredibly restricted environment without much in the way of access to the outside world.
I guess that’s the point I wanted to make here. If you’re struggling with this, you’re not alone. In fact, it appears that the challenges of FUIT are not limited to enterprises, but persist to the highest level of government. If they can’t get it figured out, then what hope do we have?