Previous page:
Instant messaging in the workplace2. Web mail
Of the respondents to the Yankee Group survey, 50 per cent said they used consumer e-mail applications for business purposes.
The problem with consumer e-mail services such as those from Google, Microsoft, AOL and Yahoo is that the users themselves don't realize how insecure their e-mail exchanges are because messages are transported over the Web and stored on the ISP's server as well as the e-mail provider's server.
Without that awareness, many use no discretion about sending sensitive information such as Social Security numbers, passwords, confidential business data or trade secrets.
One approach to tightening security around Web mail is to use a tool that monitors e-mail content using keyword filters and other detection techniques and that either generates alerts regarding potential breaches or simply blocks the e-mail from being sent.
For instance, WebEx Communications is considering expanding its use of a data loss prevention tool from Reconnex Inc. to include e-mail monitoring, according to Michael Machado, director of IT infrastructure.
For its part, DeKalb addresses this problem with Vericept's tool, which captures a screenshot of every Web-based e-mail that employees send, including file attachments, and scans these for company-defined sensitive data, such as Social Security numbers.
Alerts are sent to Finney's team so that they can follow up with users to educate them on the dangers of sending sensitive data over the Web.
3. Portable storage devices
One of an IT manager's biggest fears, according to Holbrook, is the steady proliferation in types of portable storage, ranging from Apple iPhones and iPods to flash memory devices.
"People can use these to download any number of corporate secrets or sensitive information and move it off-site, which is not where IT wants that information to be," he says.
"In the past three weeks alone, I've heard six different conversations about the risks of flash drives and portable storage devices," says Mark Rhodes-Ousley, an information security architect and author of
Network Security: The Complete Reference (McGraw-Hill Osborne Media, 2003).
While it would be easy enough to lock down the USB ports on employee PCs, many security managers say this is not a recommended approach. "If people want to subvert the process, they're going to find a way to get around any barriers you put in place," Miller says.
"And where do you draw the line? If you restrict USB ports and [cell] phones coming into the office that may have data storage ports, then you have to look at restricting infrared ports on devices and CD burners, and the list goes on and on."
It's better, he says, to handle the matter by educating people on how to treat the storage of sensitive information. "Most of the incidents that occur are unintentional [rather than] malicious, so that's where education comes in, as to proper handling and why it's important," Miller says.
Machado says he isn't a fan of blocking USB ports at WebEx, mainly because such a strategy would quickly devolve into users asking IT for exceptions to the rule and IT having to manage those exceptions. "Everyone has an exception that they think is important, which takes up more of IT's time than is necessary," he says.
What would be optimal, he adds, is to have a tool that sends an alert to people who are trying to copy files to USB drives or other unencrypted storage media, advising them that they're going against corporate policy. "Then they know they're empowered to make the decision, but that it's going to be tracked and monitored," he says.
On the other hand, DeKalb's Finney says she is interested in blocking technologies and is looking into the Vericept tool's ability to either block certain types of data from being transferred to an external storage device or alert her when someone tries to plug anything into a PC that's not native to that computer.
Ideally, she'd like a tool that would also remind employees that corporate policy forbids sensitive data to be stored on external devices.
Meanwhile, Michigan's Grand Valley State University, and other colleges and universities where professors and students have lost flash drives with sensitive data, are looking into standardizing on password- and encryption-protected USB drives to protect them in the future.
4. PDAs and smart phones
More and more employees are showing up at work with some form of smart phone or personal digital assistant, be it a BlackBerry, a Treo or an iPhone.
But when they try to synch up their device's calendar or e-mail application with their own PC, it can cause problems ranging from application glitches to the blue screen of death.
"Those types of problems are not uncommon - it's the mundane things like that that can drive IT nuts," Holbrook says. "It's not how they want to be spending their time."
Moreover, should the employee quit or be fired, he can walk out the door with any information he wants, as long as the PDA or smart phone belongs to him.
Like some other companies, WebEx minimizes those possibilities by standardizing on a single brand and model of PDA and letting employees know the IT organization will only support that one device.
WebEx does the same thing with laptops which, Machado notes, represent an even greater threat than PDAs because they can hold even more data. Any unapproved devices are not allowed on the WebEx network.
Continued:
Camera phones, Skype, widgets and virtual worldsRelated content:Frontiers of riskMITS: The Grey, The Dark and The DirtyFive stumbling blocksFederal exec touts workplace privacyNew certification seeks governance excellenceToday's IT professionals: New roles, new salaries
icon.
