Fabi Gower saw big threats in small packages.
As vice president of information systems at health care recruiting firm Martin, Fletcher in Irving, Texas, Gower feared that various handheld gadgets could corrupt her network and the data on it.
“When PDAs first became popular, that was the first red flag. That was the ‘Uh-oh, they can plug these right into the computer, and who knows what they’re taking back and forth,’” Gower says.
She contemplated using Super Glue to plug up USB ports but resisted taking such a reactionary step. Instead, Gower developed a stronger, more comprehensive security policy that regulates the use of smart phones and tablet computers. Gower also began using Sanctuary Device Control, an application from SecureWave Inc. in Herndon, Va., to prevent unauthorized access to the network.
“I feel very, very comfortable that no one can plug in a device [without my being] aware of it,” she says.
Ban or Control?
Workers of all stripes are eagerly embracing handheld electronics, from smart phones and USB drives to MP3 players and portable gaming players. And while not every device has a business use, they all can plug into the corporate network. That means sensitive data can leak out and malware can come in.
It might be tempting to simply lock down all access, but such Draconian actions are rarely required. Rather, security leaders say, executives should weigh the risk of harm to their companies against workers’ need for these miniature devices. They should then develop comprehensive policies about who has access to what data on certain devices and enforce those policies using appropriate technological controls.
“I don’t think it’s realistic to think you can prevent the use of these devices. Companies have to think in terms of controlling them,” says Jonathan G. Gossels, president of SystemExperts Corp., a Sudbury, Mass.-based provider of network security consulting services.
Controlling these devices has some unique challenges. Their size makes them difficult to detect, and they can be easily lost or stolen. They’re also cheap enough for the average worker to own, which means companies are seeing more of these devices, and a greater variety of them, hooked up to their networks.
“We have a sense we’re only seeing the tip of the iceberg. Because they’re so small and portable, they’re always under the radar,” says Kent Anderson, managing director at Network Risk Management LLC in Portland, Ore., and a member of the Information Systems and Audit Control Association (ISACA) Certified Information Security Manager board.
That explains, in part, why many companies still don’t have appropriate policies and controls in place.
“In simple terms, they’re behind the curve,” Anderson says. “Most companies have an awareness [that] there’s a problem. They’re starting to see it, but they’re at somewhat of a loss as to what to do about it.”