The dangers of taking consumer tech to work

From iPhones to Facebook, consumer technologies are increasingly being used inside supposedly locked-down businesses, posing real security risks

Despite what some vendors would have us believe, the line between frivolous consumer gadgets and serious business computing has never been that defined. The early days of the PC were typified by machines that straddled the home/office divide.

However, over the last few years, the line has become even more blurred thanks to the commoditisation of hardware, which means it's no longer necessary to have a business bank account to buy some decent processing power.

And it's not only hardware that has been made more available. The rise of web applications, as well as the more recent phenomenon of online social networking, has created an expectation that personal information can be accessed anywhere — including at work.

Staff and management alike now expect to be able to exploit in the workplace the technologies and services that they find useful at home, in order to help them undertake their jobs more effectively.

Phil Huggins, chief technical officer at security consultancy Information Risk Management, explained: "Consumers tend to be much more experimental, and so move more quickly. The key to winning here is affordability and functionality and people finding use and value in things at a personal level."

However, enterprises are generally slower than consumers to adopt technologies and services, because they need to consider factors such as total cost of ownership, return on investment, proving value and security, "although the adoption of new technologies tends to force their hand in the end", according to Huggins.

Consumer technologies are, however, often much cheaper for organisations to purchase and use than their enterprise equivalents — potentially a major consideration, especially among small to medium-sized businesses.

As Mike Gillespie, principal consultant at Advent Information Management, pointed out: "You may sacrifice some of the niceties, such as centralised management or more advanced security, but you can save thousands of pounds a year, which makes it far more cost-effective than buying corporate solutions."

And this is backed up by a survey undertaken by in association with market researcher Rhetorik of 371 UK-based organisations of all sizes with some degree of mobility within their workforce.

The study found that only about a third of respondents banned the use of consumer devices in their organisation completely, although such policies did depend on the size of the organisation. So, while about half of all large corporates went down this route, the figure fell to one fifth in the SOHO (small office/home office) sector.

A huge 51 percent of respondents, on the other hand, said they routinely allowed staff and management to use a mix of personal and company-owned gadgets and, in eight percent of cases, personnel used their own handhelds only.

Part of the problem with this situation, however, is simply the escalation in the number of technologies that are being used in an uncontrolled manner. Rhodri Davies, technical architect at security services provider Vistorm, explained: "In some ways, it's not that different from people carrying floppy disks in and out a few years ago. The problem now though is that quantities are much higher. More people use these technologies and they have much higher capabilities than they once did, which makes a security breach more likely."

It also makes it more likely that IT managers will be unaware of exactly what consumer technologies are in use in their organisations, making it more difficult to take appropriate action.

Greynets are a particularly insidious form of hidden threat. These are applications that are downloaded and installed onto end-user systems to create informal networks, enabling users to communicate and share information using the corporate IT infrastructure.

The problem is that such activity occurs without the permission of network administrators — and so generally without their knowledge — which means that it is not policed. Applications such as instant-messaging clients, peer-to-peer services, podcasts and webcams all consume system and network resources and potentially open the door to malware.

Gillespie said: "It can be a real issue if you're not aware of what consumer technologies are being used in the organisation, because you don't know what the risks are until you have a breach. The level of problem varies very much from organisation to organisation, but the biggest flaunters of policy and users of unauthorised software and hardware tend to be senior managers and the IT department itself."

This is because management often has the attitude of "I'm the boss, so I'll do what I want", while the IT department has the greatest level of access. "They're the ones that lock systems or networks down, but they don't tend to lock themselves down. So the question then is: who polices the police?" Gillespie asked.

Another serious threat that is steadily rising up the corporate agenda, not least due to regulatory compliance issues, is data loss.

"Many organisations are starting to feel that the value of their data is growing more quickly than the asset value of the business but, if you don't standardise on devices internally, you can end up with a wide range that don't have controlled configurations and that become uncontrolled routes in and out of the enterprise," explained Huggins.

For example, USB flash drives may be a convenient means for sales staff to carry important information around but...

...if they are lost or stolen, the data becomes exposed to unauthorised usage.

Similarly, if a staff member synchronises their personal smartphone with a corporate laptop, it becomes impossible to know what data — confidential emails, for example — they are taking and, therefore, what is leaving the organisation.

The other side of this is that devices can also be used to download illicit media files or personal address books onto the corporate network without personnel realising that they may be compromising their employer. In fact, the issue may only come to light if the enterprise is notified that it is in breach of copyright laws or the Data Protection Act.

"Whether we're talking about a camera or an iPod, these are all storage devices and they can bring things in and out. People can use them to steal information and they act as a reservoir for viruses and worms. To add to the fun and games, they're getting smaller in size and higher in capability at an increased rate, so it's more difficult to even tell whether people are carrying them about or not," said Davies.

To make matters worse, however, consumer devices rarely have much security functionality built in — beyond notoriously insecure password protection — because this would add to their cost.

And, despite an organisation's best efforts to encrypt sensitive data and use authentication mechanisms, such as public key infrastructures (PKIs), when sending it to a third-party user, said Andy Kellett, a senior research analyst at Butler Group, there is always the issue that suppliers, customers or partners may not be quite as meticulous.

So what can IT managers do about all of this? The first thing, from which everything else flows, is to ensure that all types of consumer technologies are covered in corporate security policies, which is often not the case at the moment, and to make sure that these policies are actively publicised and enforced.

To do this successfully, however, involves identifying key threats beforehand by undertaking a formal or informal risk assessment aimed at understanding where potential vulnerabilities lie and where resources can best be targeted.

As Gillespie said: "Sometimes you just have to accept that consumer products are not right for the organisation, no matter how much a director screams that they want to use this or that. But, to justify this means having good risk management in place and involves doing an assessment every time you contemplate rolling out any new system. This applies particularly to consumer products, however, as they have the biggest risk associated with them."

The second step is to train users adequately and appropriately, ideally when they are first recruited to the company, so that they are aware of the issues from the outset. This is necessary because staff and managers inadvertently but consistently remain the weakest link in the whole people, process and technology chain.

"Awareness is a big issue, because you have to rely on people to make the right decisions. Policy and process is about explaining to them how to do things and security controls are about limiting their ability to make bad decisions, so really it's all about people," Huggins explained.

On the technology side of things, however, while implementations are likely to be as varied as the consumer products and services being used, it is important to spend time weighing up the issues in the debate as to security versus ease of use.

"Locking down everything can be problematic because the reason that people use these technologies in the first place is that they're convenient and help them to do their jobs better, and that's an important consideration. Security has traditionally been seen as a way to stop the business working, but really it's there to support it, so there has to be a balance," Huggins said.

Nonetheless, the challenge posed by consumer technologies is unlikely to go away in the near future and, if anything, is probably set to increase over the next few years.

As Kellett remarked: "It's short-sighted to believe that there won't be a new generation of devices around the corner, and there's no guarantee that there won't be even cleverer gadgets coming along. While, in the past, few people felt it was acceptable to bring personal devices into the workplace, it's now become commonplace, so the problem isn't going to diminish any time soon."