The 8 most dangerous consumer technologies

Computerworld - High-tech consumer products and services of all kinds are making their way into the workplace. They include everything from smart phones, voice-over-IP systems and flash memory sticks to virtual online worlds. And as people grow more accustomed to having their own personal technology at their beck and call -- and in fact can't imagine functioning without it -- the line between what they use for work and what they use for recreation is blurring.

In a recent survey of corporate users by Yankee Group Research Inc., 86% of the 500 respondents said they had used at least one consumer technology in the workplace, for purposes related to both innovation and productivity.

Unfortunately, this trend poses problems for IT organizations. For one thing, the use of these technologies increases the risk of security breaches. Moreover, users expect IT to support these devices and services, especially once they interact with applications in the corporate environment.

But in many companies, it would be against corporate culture to simply ban the devices or to block employees from accessing consumer services. At the same time, companies can't depend wholly on policy to maintain the level of security they need.

"I don't know of any business where employees have the time to read and comprehend every single policy related to a computer in their environment -- they're busy doing their jobs," says Sharon Finney, information security administrator at DeKalb Medical Center in DeKalb County, Ga. "I consider it my responsibility to implement things that make security seamless, easy and completely in the background."

Others, like Michael Miller, vice president of security at telecommunications services provider Global Crossing Ltd., wait until the devices or services affect productivity or otherwise cause a business problem, such as the security department battling worms or dealing with bandwidth issues. But no matter what companies decide to do, the response always involves a balance of enabling employee productivity, abiding by the corporate culture, not eating up too much of IT's own resources and ensuring a level of security that's right for the company.

"Consumerization will be a nightmare for IT departments, creating maintenance and support problems that will swiftly overwhelm IT resources, unless they embrace new approaches to managing the rogue employees," says Josh Holbrook, an analyst at Yankee Group. Holbrook equates banning the use of consumer technologies in the workplace with "an endless game of whack-a-mole." At the same time, ignoring the adoption of such technologies would lead to a potentially hazardous mix of secured and unsecured applications within a corporate enterprise, he says. He proposes ceding control to end users via an internal customer care cooperative model. (See "Zen and the art of ceding control of consumer tech to end users.")

To help you decide how to respond, below we look at eight popular consumer technologies and services that have crept into the workplace and provide some insight into how companies are achieving the balance of security, productivity and sanity.

1. Instant messaging

People use instant messaging for everything from making sure their kids have a ride home from practice to communicating with co-workers and business partners. In the Yankee study, 40% of respondents said they use consumer IM technology at work. Instant messaging present numerous security challenges. Among other things, malware can enter a corporate network through external IM clients and IM users can send sensitive company data across insecure networks.

One way to combat threats is to phase out consumer IM services and use an internal IM server. In late 2005, Global Crossing did just that when it deployed Microsoft Corp.'s Live Communications Server (LCS). Then in August 2006 it blocked employees from directly using external IM services from providers such as AOL, MSN and Yahoo. Now, all internal IM exchanges are encrypted, and external IM exchanges are protected, as they're funneled through the LCS server and Microsoft's public IM cloud.

Adopting an internal IM server also gave Global Crossing's security team more control. "Through the public IM cloud, we're able to make certain choices as to how restrictive or open we are. We can block file transfers, limit the information leaving our network or restrict URLs coming in," which was a common method for propagating worms, Miller says. "That takes away a huge component of malicious activity."

You can also take a harder line. DeKalb's security policy, for instance, bans IM use altogether. "It's mainly chat-type traffic, not personal health information, but it's still a concern," Finney says. As backup to the restrictive policy, she blocks most sites where IM clients can be downloaded, although she can't block MSN, AOL or Yahoo because many physicians use those sites for e-mail accounts. Her team also uses a network inventory tool that can detect IM clients on employee PCs. If one is found, the employee is reminded of DeKalb's no-IM policy and notified that the IM client will be removed. Finney is also considering various methods of blocking outbound IM traffic, but for now, she also uses a data loss prevention tool from Vericept Corp. to monitor IM traffic and alert the security team about any serious breaches. To do that, Finney's team needs to shut down most of its Internet ports, which forces IM traffic to scroll to Port 80 for monitoring.

DeKalb is looking into the idea of implementing the IM add-on of IBM's Lotus Notes or even an internal freeware IM service like Jabber for business users who want to communicate across campus. "Nothing is 100%," Finney says. "IM is always a huge concern from a security as well as a productivity perspective."