Unsecured devices worry IT professionals

IT admins keep working to make networks secure even as more unsecured personal gadgets, like smartphones and BlackBerrys, find their way into companies.

It could be the basis of a new reality show: IT administrators battle unsecured devices accessing their networks while willful executives resist their security measures.

There are a lot of things IT people must focus on to make networks secure. At the same time, they must allow businesses and organisations to focus on their overall mission.

Lamenting their challenges, many network admins and IT managers offered up their security worries and successes at the IDC Security Forum in New York City last week.

For some administrators, the issues that top their security to-do list include insisting that executive BlackBerrys are password-protected and making sure the devices stay uncontaminated from viruses, worms or worse.

Audrey Pantas, Xerox 's chief information security officer, insisted repeatedly that executives at her company secure their BlackBerrys with passwords. In the end, she won her case, but not without a lot of resistance.

Pantas illustrated her point with this anecdote. While on a trip, she found a BlackBerry on the road near a parking spot and saw that it was unsecured. She was able to find the owner's contact information, and discovered that the woman was an executive with a large company. "She told me 'thanks, this thing has my whole life in it,'" said Pantas. "I told her 'you're I am the lucky it was me who found it, and you need to put a password on there right now.'"

You're never going to close all the risk. You just have to be realistic about the risks you take.
Audrey Pantas,
Xerox chief information security officer,

Of course, not all her department's concerns are so easily addressed. It will be switching to smart cards in the next year, which will act as a computer sign-on mechanism.

Others at the forum said their problem is keeping the desktop clear of third-party devices that people bring to work, such as MP3 players or adding an EVDO card to the company-issued laptop so they can tap into a wireless network no matter where they are.

"It's really about user education," said Bob Blythe, World Wrestling Entertainment Inc.'s director of information technology. "If you talk with [users] one on one, they're usually pretty good about [clutter]." The WWE has about 500 seats.

Joanne Kossuth, chief information officer and associate vice president of development at Franklin W. Olin College of Engineering in Needham, Mass., has a fully converged network, which she helped design. The school is fairly young, with its first graduating class graduating this past spring.

Providing a network that allows faculty and students to collaborate with each other, as well as those in other universities, is a lot of work. The students and faculty demand a lot of openness in such a system, but the IT department must always think of the security issues involved and communicate those concerns well to staff and students.

Andrew Baker, Warner Music Group's director of network services and security, spends a lot of his time educating others in the company about the need for security. IT managers may be weighing several projects, so it's imperative that they understand its importance, he said.

In New Haven, Conn., Tom Keogh, The United Illuminating Co.'s information consultant, has his plate full with his usual compliance work. The utility is a publicly traded company but on cyber-security standards that are being imposed on public utilities. And there is an upcoming round of new computers and software, which Keogh said will not be Microsoft's Vista.

Perhaps the biggest challenge for all IT network security professionals is keeping their networks safe while providing employees with remote access through devices that help them remain productive.

"The days of locking down all the desktops, having no extended networks and no computers leaving the building are over," Pantas said. "You're never going to close all the risk. You just have to be realistic about the risks you take."

Read more on IT risk management