High-tech consumer products and services of all kinds are making their way into the workplace. They include everything from smart phones, voice-over-IP systems and flash memory sticks to virtual online worlds. And as people grow more accustomed to having their own personal technology at their beck and call — and in fact can’t imagine functioning without it — the line between what they use for work and what they use for recreation is blurring. In a recent survey of corporate users by Yankee Group Research Inc., 86% of the respondents said they had used at least one consumer technology in the workplace, for purposes related to both innovation and productivity.
Unfortunately, this trend poses problems for IT organizations. For one thing, the use of these technologies increases the risk of security breaches. Moreover, users expect IT to support these devices and services, especially once they interact with applications in the corporate environment. But in many companies, it would be against corporate culture to simply ban the devices or to block employees from accessing consumer services. At the same time, companies can’t depend wholly on policy to maintain the level of security they need.
“I don’t know of any business where employees have the time to read and comprehend every single policy related to a computer in their environment — they’re busy doing their jobs,” says Sharon Finney, information security administrator at DeKalb Medical Center in DeKalb County, Ga. “I consider it my responsibility to implement things that make security seamless, easy and completely in the background.”
Others, like Michael Miller, vice president of security at telecommunications services provider Global Crossing Ltd., wait until the devices or services affect productivity or otherwise cause a business problem, such as the security department battling worms or dealing with bandwidth issues. But no matter what companies decide to do, the response always involves a balance of enabling employee productivity, abiding by the corporate culture, not eating up too much of IT’s own resources and ensuring a level of security that’s right for the company.
“Consumerization will be a nightmare for IT departments, creating maintenance and support problems that will swiftly overwhelm IT resources, unless they embrace new approaches to managing the rogue employees,” says Josh Holbrook, an analyst at Yankee Group. Holbrook equates banning the use of consumer technologies in the workplace with “an endless game of whack-a-mole.” At the same time, ignoring the adoption of such technologies would lead to a potentially hazardous mix of secured and unsecured applications within a corporate enterprise, he says. He proposes ceding control to end users via an internal customer care cooperative model. (See “Throwing in the towel on consumer technologies”)
To help you decide how to respond, below we look at eight popular consumer technologies and services that have crept into the workplace and provide some insight into how companies are achieving the balance of security, productivity and sanity.
1. Instant messaging
People use instant messaging for everything from making sure their kids have a ride home from practice to communicating with co-workers and business partners. In the Yankee study, 40% of respondents said they use consumer IM technology at work. Instant messaging present numerous security challenges. Among other things, malware can enter a corporate network through external IM clients and IM users can send sensitive company data across insecure networks.
One way to combat threats is to phase out consumer IM services and use an internal IM server. In late 2005, Global Crossing did just that when it deployed Microsoft Corp.’s Live Communications Server (LCS). Then in August 2006 it blocked employees from directly using external IM services from providers such as AOL, MSN and Yahoo. Now, all internal IM exchanges are encrypted, and external IM exchanges are protected, as they’re funneled through the LCS server and Microsoft’s public IM cloud.
Adopting an internal IM server also gave Global Crossing’s security team more control. “Through the public IM cloud, we’re able to make certain choices as to how restrictive or open we are. We can block file transfers, limit the information leaving our network or restrict URLs coming in,” which was a common method for propagating worms, Miller says. “That takes away a huge component of malicious activity.”
You can also take a harder line. DeKalb’s security policy, for instance, bans IM use altogether. “It’s mainly chat-type traffic, not personal health information, but it’s still a concern,” Finney says. As backup to the restrictive policy, she blocks most sites where IM clients can be downloaded, although she can’t block MSN, AOL or Yahoo because many physicians use those sites for e-mail accounts. Her team also uses a network inventory tool that can detect IM clients on employee PCs. If one is found, the employee is reminded of DeKalb’s no-IM policy and notified that the IM client will be removed. Finney is also considering various methods of blocking outbound IM traffic, but for now, she also uses a data loss prevention tool from Vericept Corp. to monitor IM traffic and alert the security team about any serious breaches. To do that, Finney’s team needs to shut down most of its Internet ports, which forces IM traffic to scroll to Port 80 for monitoring.
DeKalb is looking into the idea of implementing the IM add-on of IBM’s Lotus Notes or even an internal freeware IM service like Jabber for business users who want to communicate across campus. “Nothing is 100%,” Finney says. “IM is always a huge concern from a security as well as a productivity perspective.”
2. Web mail
Of the respondents to the Yankee Group survey, 50% said they use consumer e-mail applications for business purposes. The problem with consumer e-mail services such as those from Google, Microsoft, AOL and Yahoo is that the users themselves don’t realize how insecure their e-mail exchanges are because messages are transported over the Web and stored on the ISP’s server as well as the e-mail provider’s server. Without that awareness, many use no discretion about sending sensitive information such as Social Security numbers, passwords, confidential business data or trade secrets.
One approach to tightening security around Web mail is to use a tool that monitors e-mail content using keyword filters and other detection techniques and the either generates alerts regarding potential breaches or simply blocks the e-mail from being sent. For instance, WebEx Communications is considering expanding its use of a data loss prevention tool from Reconnex Inc. to include e-mail monitoring, according to Michael Machado, director of IT infrastructure.
For its part, DeKalb addresses this problem with Vericept’s tool, which captures a screenshot of every Web-based e-mail that employees send, including file attachments, and scans these for company-defined sensitive data, such as Social Security numbers. Alerts are sent to Finney’s team so that they can follow up with users to educate them on the dangers of sending sensitive data over the Web.
3. Portable storage devices
One of an IT manager’s biggest fears, according to Holbrook, is the steady proliferation in types of portable storage, ranging from Apple iPhones and iPods to flash memory