Consumer tech may create a security hazard in workplace

15 Jun 2007

Workers bringing in consumer electronics devices such as MP3 players and wireless hotspot devices or services like VoIP and instant messaging into the workplace are posing the next significant threat to enterprise IT security.

According to Gartner, employees expect to use more of their personal equipment and services at work and increasingly enterprises are simultaneously adopting more consumer technologies in business operations.

“Although consumer technologies create new risks for the enterprise, eliminating their use is increasingly difficult and impractical,” said Rich Mogull, research vice-president for Gartner.

“By taking security precautions and investing in foundational security technologies now, enterprises can prepare themselves for increasing use of consumer devices, services and networks with their organisation and manage these risks.”

The entrance of consumer technologies in the enterprise challenges traditional security models, but, although they may lack maturity and come at a high price, the tools exist to manage the risks.

Many of these, such as network access control (NAC) or CMF/DLP, are being adopted by enterprises to manage other threats and can be configured for consumerisation threats.

And while in some cases it may be too early or costly to invest in these less-mature tools, enterprises can start with policies and procedures and use these to help guide future technology deployments, claimed Gartner.

Consumer email, instant messaging (IM), VoIP and other communications services are becoming intrinsically tied to people’s online personalities. Today, most employees use private email services, such as Gmail, Yahoo!, AOL or Hotmail, often from work, and often as a way to exchange work materials with their PCs at home.

IM also continues to rise in popularity and usage may actually exceed email usage with younger generations. New services and technologies, such as Skype, video chat and collaborative workspaces, are becoming more common, even among less-technical employees.

“Most organisations will find themselves unable to completely block these services, for cultural, if not technical reasons, but security options are available to limit the risks that consumer communications services create,” said Mogull.

“Enterprises can look at a vector for malicious software or violations of corporate communications policies. Current acceptable use policies often do not cover these areas and traditional email security or firewalls and URL filtering do not deal with them effectively.”

In addition to communications, there is a growing use of blogs, social networks and other Web 2.0 services, both in and out of the workplace. Some of these services create a risk of information leaks while others offer potential new channels for malicious software.

Another threat may come in the form of unmanaged mobile devices like smart phones. Apart from large amounts of storage these devices can run robust applications and are increasingly a target for malicious code.

As both broadband penetration and the use of wireless networks increase, employees will connect to enterprise resources through smart phones and unmanaged remote devices like laptops.

Allowing employees to work from home on their own systems may increase productivity but Gartner warned it may also pose a security risk unless firms deploy secure socket layer (SSL) virtual private networks (VPNs).

By John Kennedy