Previous page:
Web mail, portable storage and handheld devices
Back to:
Instant messaging in the workplace5. Camera phones
A hospital worker stands at a nursing station, casually chatting with the nurses. No one notices she's got a small device in her hand, on which, from time to time, she's pressing a small button.
A scene from the latest spy thriller? No, a security test conducted by DeKalb's Finney.
"One of the tests I did was to go to take my cell phone to the nursing station and start clicking off photos, unbeknownst to them," she says. "I wanted to download the photos, enhance the images and see what I got - patient information displayed on computer screens or on papers lying on the desk."
As it turns out, she didn't obtain any personally identifiable information, but she did glean the computer name (not the IP address) from the top of the photographed computer screen.
"That kind of information can add up to clues that can be compiled or combined with other information that someone could get from other sources in the facility to build a plan of attack," she says.
As a follow-up, Finney added information regarding this potential security breach to DeKalb's employee orientation and security awareness programs, so people are at least aware of how risky it is to expose sensitive data for others to see - and possibly photograph.
6. Skype and other consumer VoIP services
Another fast-growing consumer technology is Skype, a downloadable software-based service that allows users to make free Internet phone calls. In fact, 20 per cent of the respondents to the Yankee Group study said they used Skype for business purposes.
In a business setting, the threat presented by Skype and similar services is the same as that of any consumer software downloaded to a corporate PC, Holbrook says.
"Enterprise applications are highly scalable and highly secure, while consumer applications are less scalable and less secure," he says.
"So anytime you download Skype or anything else, you're introducing a security risk that IT is uncomfortable with." For instance, the software can interact with every other application on the PC or network, potentially affecting the performance of every application.
Skype itself has issued at least four bulletins announcing security holes that users can patch when they download the latest version of the software. But because IT often has no idea how many users have installed Skype, let alone who has done it, there's no way for them to police these efforts.
The most secure option, and one that research firm Gartner Inc. recommends, is to block Skype traffic altogether. If a business chooses not to do that, it should actively engage in version control of Skype clients using configuration management tools and ensure that it is distributed only to authorized users, Gartner says.
7. Downloadable widgets
According to Yankee Group, consumers are using devices such as the Q and the Nokia E62 to download widgets that give them quick access to Web applications.
These widgets can be easily moved to PCs which, according to Holbrook, represent another entry point into the technology ecosystem that IT struggles to control.
The risk here is that these tiny programs use processing power on the PC and the network. And beyond that, any software that gets downloaded without being vetted represents a potential threat.
"It's not more likely to be infected with a virus, but you're downloading something you might not have a lot of trust in," Holbrook says.
WebEx mitigates this risk using a threefold approach. It educates users on the risks of software downloads; it uses Reconnex to monitor what's installed on user PCs; and it disables some of the users' default access rights, restricting their download capabilities.
8. Virtual worlds
Business users are beginning to experiment with virtual worlds such as Second Life, and as they do, IT needs to become more aware of the accompanying security concerns.
It would be short-sighted, Holbrook says, to simply block the use of these virtual worlds. "It's an application that people are just now figuring out how it can be useful in a business setting," he says.
At the same time, using Second Life involves downloading a large amount of executable code and putting it inside the corporate firewall, Gartner points out in a recent report. In addition, there's really no way to know the actual identities of the avatars that populate the virtual world.
One option that Gartner suggests is enabling employees to access their virtual worlds over the company's public wireless network or encourage them to do it from home. A third option is for companies to evaluate tools to create their own virtual environments that would be hosted internally within the enterprise firewall.
Related content:Frontiers of riskMITS: The Grey, The Dark and The DirtyFive stumbling blocksFederal exec touts workplace privacyNew certification seeks governance excellenceToday's IT professionals: New roles, new salaries
icon.
