Holidays are over; now beware the gadgets

The post-holiday influx of consumer devices poses increased risk of data leakage and other threats to network security.

Now that the holidays are over, countless workers of all stripes will be bringing in their latest gizmos to show off, play with, and provide one more thing for networking pros to lose sleep over. With a little preparation and some sensible corporate policies, the risk these devices pose can be mitigated.

The primary threat posed, according to several experts, is the potential for data leakage as more and more devices contain mass storage drives. A new Ashton, Metzler & Associates study, sponsored by network management provider Netscout, found that more than half of 396 networking professionals said that employee-owned USB flash drives have a moderate or significant impact on IT infrastructure.

The survey also revealed that about 40% of respondents expected smartphones to moderately or significantly affect their infrastructure.

As these devices become more powerful, they also become larger targets for malware that can eventually find its way onto the corporate network.

Many employees use these personal devices for work, which means they often contain critical data: contacts, memos, PowerPoint presentations and databases. Much like other mass storage devices, a misplaced iPhone could put sensitive information into the wrong hands.

"If we're talking about a 60 gig iPod, there's lots of potential [for problems]," said Eric Maiwald, vice president and service director with Burton Group's Security and Risk Management Strategies.

Maiwald said the threats go both ways and are often unintentional. A simple USB stick could bring a nasty virus variant from an infected personal computer, or it could be used to conveniently transport thousands of employee social security numbers - before being lost in the parking lot.

One key to combating these risks, Maiwald suggested, is to create a comprehensive corporate policy. But don't stop there. IT managers need to educate users about that policy.

"What is it that we're going to allow, and what is it that we're not going to allow," he said. "If we're going to allow personal devices on the network, then hav[e] some ... education in place saying this is how we're going to deal with this."

Hardline lockout policies come at a steep price in convenience for users, according to Maiwald, but he added that most of the alternatives were fallible.

"USB sticks are used for a reason. I've lost that usefulness [if external devices are prohibited]," he said. "There are some products that look at the data that moves between a PC and anything else [email, file transfers, etc.], but they have to know what to look for. If they don't know what to look for, they're not terribly helpful."

The mass storage threat may be proliferating, but it will not come as news to most IT organisations. In our survey last year, protecting critical data was the top security priority for 24.87% of readers.

Read more on Network security management