A horrible mess of nastiness: Consumer gadgets and IT security

When smartphones invade your office, how do you make sure security doesn't suffer?

Letting staff use their own PCs and smartphones in the workplace might sound like an easy way for CIOs to cut the amount they spend on buying hardware, and bring an end to those nagging emails from execs who want the latest shiny new gadget at the company's expense.

But rather than leading to a nice quiet life for the CIO, the consumerisation of IT can also open up a mess of technical, regulatory and legal issues, security chiefs have warned. Even worse, there's no turning back the clock to the days when the IT department could control every gadget that could access the corporate network.

"It's not a question of whether it's happening, it's here and it's not going away. If I ask if anyone who doesn't have access to a smartphone to put their hands up you will probably find that it's a vanishingly small number of people," said Michael Everall, chief information security officer (CISO) with Lamco LLC - Lehman Brothers Holdings.

"We can't be Dilbert's pointy-headed boss - the great deniers of technology. We have to know what's available out there so we can take the cost proposition to the board level and say 'This is what's happening and this is what you are going to do'," he said, speaking at the Infosecurity Europe 2011 conference in London last week.

"Some companies see it as a saving to the organisation through [paying for] fewer licences and fewer BlackBerrys themselves, but once you drill down through all the needs and requirements…it becomes a horrible mess of nastiness," he added.

All your devices belong to us?

Unsurprisingly the danger of a consumer mobile device loaded with corporate data being left in the back of a taxi ranks high on the list of security chief's concerns. And once companies start getting serious about dealing with the data loss threat, staff might start might start thinking twice about using their personal smartphone or tablet at work.

"We basically will be informing individuals that, if we go down this path, be aware it may be your personal device but any of the contents on there is ours to wipe at will, and that includes your personal data," Everall said.

"If you don't back it up you're going to lose it because we will send a kill command to [wipe] that device when you leave the organisation, or if we have any concern that something may be amiss."

Are BlackBerrys the only fruit?

Not all gadgets are created equal - so security chiefs have to add additional policies for consumer smartphones, which don't come with the device security and management options in place that are available with an enterprise-targeted handset.

For example devices targeted mostly at consumers do not offer companies the...