The dangers of taking consumer tech to work

Summary:From iPhones to Facebook, consumer technologies are increasingly being used inside supposedly locked-down businesses, posing real security risks

Despite what some vendors would have us believe, the line between frivolous consumer gadgets and serious business computing has never been that defined. The early days of the PC were typified by machines that straddled the home/office divide.

However, over the last few years, the line has become even more blurred thanks to the commoditisation of hardware, which means it's no longer necessary to have a business bank account to buy some decent processing power.

And it's not only hardware that has been made more available. The rise of web applications, as well as the more recent phenomenon of online social networking, has created an expectation that personal information can be accessed anywhere — including at work.

Staff and management alike now expect to be able to exploit in the workplace the technologies and services that they find useful at home, in order to help them undertake their jobs more effectively.

Phil Huggins, chief technical officer at security consultancy Information Risk Management, explained: "Consumers tend to be much more experimental, and so move more quickly. The key to winning here is affordability and functionality and people finding use and value in things at a personal level."

However, enterprises are generally slower than consumers to adopt technologies and services, because they need to consider factors such as total cost of ownership, return on investment, proving value and security, "although the adoption of new technologies tends to force their hand in the end", according to Huggins.

Consumer technologies are, however, often much cheaper for organisations to purchase and use than their enterprise equivalents — potentially a major consideration, especially among small to medium-sized businesses.

As Mike Gillespie, principal consultant at Advent Information Management, pointed out: "You may sacrifice some of the niceties, such as centralised management or more advanced security, but you can save thousands of pounds a year, which makes it far more cost-effective than buying corporate solutions."

And this is backed up by a survey undertaken by ZDNet.co.uk in association with market researcher Rhetorik of 371 UK-based organisations of all sizes with some degree of mobility within their workforce.

The study found that only about a third of respondents banned the use of consumer devices in their organisation completely, although such policies did depend on the size of the organisation. So, while about half of all large corporates went down this route, the figure fell to one fifth in the SOHO (small office/home office) sector.

A huge 51 percent of respondents, on the other hand, said they routinely allowed staff and management to use a mix of personal and company-owned gadgets and, in eight percent of cases, personnel used their own handhelds only.

Part of the problem with this situation, however, is simply the escalation in the number of technologies that are being used in an uncontrolled manner. Rhodri Davies, technical architect at security services provider Vistorm, explained: "In some ways, it's not that different from people carrying floppy disks in and out a few years ago. The problem now though is that quantities are much higher. More people use these technologies and they have much higher capabilities than they once did, which makes a security breach more likely."

It also makes it more likely that IT managers will be unaware of exactly what consumer technologies are in use in their organisations, making it more difficult to take appropriate action.

Greynets are a particularly insidious form of hidden threat. These are applications that are downloaded and installed onto end-user systems to create informal networks, enabling users to communicate and share information using the corporate IT infrastructure.

The problem is that such activity occurs without the permission of network administrators — and so generally without their knowledge — which means that it is not policed. Applications such as instant-messaging clients, peer-to-peer services, podcasts and webcams all consume system and network resources and potentially open the door to malware.

Gillespie said: "It can be a real issue if you're not aware of what consumer technologies are being used in the organisation, because you don't know what the risks are until you have a breach. The level of problem varies very much from organisation to organisation, but the biggest flaunters of policy and users of unauthorised software and hardware tend to be senior managers and the IT department itself."

This is because management often has the attitude of "I'm the boss, so I'll do what I want", while the IT department has the greatest level of access. "They're the ones that lock systems or networks down, but they don't tend to lock themselves down. So the question then is: who polices the police?" Gillespie asked.

Another serious threat that is steadily rising up the corporate agenda, not least due to regulatory compliance issues, is data loss.

"Many organisations are starting to feel that the value of their data is growing more quickly than the asset value of the business but, if you don't standardise on devices internally, you can end up with a wide range that don't have controlled configurations and that become uncontrolled routes in and out of the enterprise," explained Huggins.

For example, USB flash drives may be a convenient means for sales staff to carry important information around but...

Topics: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.