Blanket bans on mp3s and USB sticks in response to perceived security threats have silenced cubicles in many Canadian offices. But at least one Canadian security consultant believes just blackballing these devices can do more harm.
“Don’t avoid them, take control,” said Karen Nemani, senior security consultant at 2Keys Corp, a Toronto-based IT security consultancy firm.
Nemani was speaking at a recent round table discussion titled Security in a Mobile World organized on Wednesday by the CIO Executive Council, a professional organization for Canadian CIOs.
According to Nemani, mobile devices have become a fact of life, and used judiciously can actually increase productivity. However, she said, security and employee performance concerns make many firms oblivious to the benefits of these devices.
Recent research does indicate that such fears are prompting companies to impose outright bans on mp3 players and flash drives.
In a countrywide survey of 259 companies conducted by Ipsos-Reid Corp., 30 per cent of the respondents said they have prohibited staff from bringing mp3 players, such as Apple Computer Inc.’s iPod, to work.
Nemani said such bans can be counterproductive because these devices have become part and parcel of people’s lives today.
Research bears out this view.
Last Christmas , shoppers spent an estimated US$17.1 billion on consumer electronics this holiday season, according to a study conducted by the Consumer Electronics Association (CEA) of Arlington, Va. Portable mp3 players head the list of hot-ticket items.
“People received these items as gifts or bought [them] and are going to want to try them out, at home or in the office,” said Nemani.
She also cited a study by analyst firm IDC in Framingham, Mass. indicating that the global mobile workforce will shoot up to roughly 878 million users by 2009.
Instead of barring iPods , cell phones, personal digital assistants (PDAs) and other mobile gadgets from the corporate environment, Nemani said, managements should develop security policies that govern the use of these tools.
Mobile devices can also increase productivity, she said, citing studies that show Blackberry owners often use the device for work-related tasks. In doing so, they are able to convert as many as 40 minutes of previously unused time into productive activity. “Why would you want such a device out of your organization?”
Nemani, however, did not minimize the risk posed by mobile devices such as USB sticks, which she said can be used to steal or disclose confidential and corporate information or introduce viruses and corrupt office networks.
A stolen Blackberry or notebook can be a major security risk for companies, Nemani said. For instance, she said the personal information of 38,000 United States veterans was recently put at risk when a Veterans Affairs Department subcontractor lost a computer containing this data.
Hackers can eavesdrop on company employees using WiFi or Bluetooth-enabled phones and laptops. They can also launch a Blue Snarf attack by hijacking a Bluetooth-enabled phone or PDA to get hold of client lists and calendars or phone in a virus into the device.
The first thing a company should do to minimize security risks is to evaluate the value of their information, Nemani said. “You don’t want to set up a security plan that is more expensive than the data you want to protect.”
In some instances, existing security policies should be revamped to cover mobile devices and include the installation or distribution of appropriate anti-virus and anti-spyware to these gadgets.
Other security strategies mentioned by Nemani include the use of hard drive and file encryption to protect data, and an authentication system that only allows identifiable connections into the network.
She also said administrators can limit download volumes to prevent in-house data theft.
Laptops and PDAs can be rigged with hidden hard drives that can only be accessed with a key. Administrators can also install onto notebooks call home software that alerts the police once a stolen device is brought on-line.
Systems that enable administrators to remotely destruct data or disable stolen devices should also be considered.
A comprehensive log of all events is also essential for keeping track of network activity according to Chan Ghosh, chief information officer of Mississauga, Ont-based financial firm Landmark Corp. “The log can identity the user, what the user did and when.”
He said some network logs include software that detects suspicious behaviour, such as downloading unusually large files.
“Data protection is critical. Firms can be held legally liable for stolen data,” said Ghosh.
Unfortunately, Ghosh said, many firms do not view protecting data as a top priority. “Until now, one of the major CIO challenges has been convincing the board to invest in beefing up IT security.”
For more on Canada’s IT job market don’t miss our IT Labour Market Special: What’s hot, what’s not we’ve put together especially for you.