The dangers of taking consumer tech to work

Tags:
Assessment,
Lock,
Workplace,
Consideration

Cath Everett ZDNet.co.uk

Published: 29 Oct 2007 14:42 GMT

...if they are lost or stolen, the data becomes exposed to unauthorised usage.

Similarly, if a staff member synchronises their personal smartphone with a corporate laptop, it becomes impossible to know what data — confidential emails, for example — they are taking and, therefore, what is leaving the organisation.

The other side of this is that devices can also be used to download illicit media files or personal address books onto the corporate network without personnel realising that they may be compromising their employer. In fact, the issue may only come to light if the enterprise is notified that it is in breach of copyright laws or the Data Protection Act.

"Whether we're talking about a camera or an iPod, these are all storage devices and they can bring things in and out. People can use them to steal information and they act as a reservoir for viruses and worms. To add to the fun and games, they're getting smaller in size and higher in capability at an increased rate, so it's more difficult to even tell whether people are carrying them about or not," said Davies.

To make matters worse, however, consumer devices rarely have much security functionality built in — beyond notoriously insecure password protection — because this would add to their cost.

And, despite an organisation's best efforts to encrypt sensitive data and use authentication mechanisms, such as public key infrastructures (PKIs), when sending it to a third-party user, said Andy Kellett, a senior research analyst at Butler Group, there is always the issue that suppliers, customers or partners may not be quite as meticulous.

So what can IT managers do about all of this? The first thing, from which everything else flows, is to ensure that all types of consumer technologies are covered in corporate security policies, which is often not the case at the moment, and to make sure that these policies are actively publicised and enforced.

To do this successfully, however, involves identifying key threats beforehand by undertaking a formal or informal risk assessment aimed at understanding where potential vulnerabilities lie and where resources can best be targeted.

Locking down everything can be problematic because the reason that people use these technologies in the first place is that they're convenient and help them to do their jobs better, and that's an important consideration

Phil Huggins, Information Risk Management

As Gillespie said: "Sometimes you just have to accept that consumer products are not right for the organisation, no matter how much a director screams that they want to use this or that. But, to justify this means having good risk management in place and involves doing an assessment every time you contemplate rolling out any new system. This applies particularly to consumer products, however, as they have the biggest risk associated with them."

The second step is to train users adequately and appropriately, ideally when they are first recruited to the company, so that they are aware of the issues from the outset. This is necessary because staff and managers inadvertently but consistently remain the weakest link in the whole people, process and technology chain.

"Awareness is a big issue, because you have to rely on people to make the right decisions. Policy and process is about explaining to them how to do things and security controls are about limiting their ability to make bad decisions, so really it's all about people," Huggins explained.

On the technology side of things, however, while implementations are likely to be as varied as the consumer products and services being used, it is important to spend time weighing up the issues in the debate as to security versus ease of use.

"Locking down everything can be problematic because the reason that people use these technologies in the first place is that they're convenient and help them to do their jobs better, and that's an important consideration. Security has traditionally been seen as a way to stop the business working, but really it's there to support it, so there has to be a balance," Huggins said.

Nonetheless, the challenge posed by consumer technologies is unlikely to go away in the near future and, if anything, is probably set to increase over the next few years.

As Kellett remarked: "It's short-sighted to believe that there won't be a new generation of devices around the corner, and there's no guarantee that there won't be even cleverer gadgets coming along. While, in the past, few people felt it was acceptable to bring personal devices into the workplace, it's now become commonplace, so the problem isn't going to diminish any time soon."