Encryption could address threat to data security of consumer storage products, says Alan Lawson
Information is an essential component of every daily business activity, and access to this information is key if employees are to be productive.
Equally important is access to fellow employees in a collaborative framework, generating information for the organisation's benefit - new products or strategies are commonly encountered reasons for such collaboration. Connecting employees, to each other as well as to the information they require, is a natural priority for all organisations.
The costs to the organisation of enabling connectivity will often run into thousands for SMEs, and into millions for larger enterprises. Deployments are accordingly carried out at a high level, with the needs of the many taking priority over the specific requirements of the few - the result being that some employees may find their systems inadequate under certain circumstances.
Given the cost of deploying enterprise connectivity products, such as wireless networks, the assumption might be that employees would simply have to put up with the situation - after all, they can hardly invest in systems of their own to boost their productivity and/or make their working lives easier. Not so.
Two factors seriously undermine this assumption. The first is that many individuals outside the IT department possess enough IT knowledge to interact with whatever systems are in place within the organisation, above and beyond the basics of using the interfaces that are provided.
Such individuals may have considerable expertise, or simply know just enough to get themselves (and the organisation) into serious trouble. But surely, without access to dedicated hardware, there will be limits to the damage they can inadvertently cause? You would think this should end the debate, because enterprise systems are far beyond the reach of the average employee.
However, a second factor to consider is that the manufacture of powerful and effective communications technologies has become consumer-led, something enterprise security and management strategies do not always take into account. Combine the widespread availability of these sophisticated devices with the (hopefully) well-meaning intentions of employees and there is a potential recipe for disaster.
If wireless access points are not properly secured in accordance with the organisation's policy, then they provide an open door for misuse. This becomes a problem because it is as easy for employees to create their own wireless access at a fairly low cost in the office as it is for them to run off multiple copies of original content at home. Routers and wireless cards are available over the counter in every high street, enabling employees with even minimal technical knowhow to establish and maintain small wireless networks for their own convenience.
Cost is no longer a serious barrier, due to the steady reduction in high street prices, and apart from being convenient, the personal network might also carry a perceived benefit of being "cool". It is now easy to walk into any high street electrical retailer and buy a simple wireless networking kit for £100. Unless hardware in the organisation is locked down as part of the policy, such a device could be plugged into numerous access points, quite unnoticed.
Mobile devices, especially smartphones, are excellent examples of why consumer-led technologies now affect management and security issues. These devices possess steadily increasing amounts of storage space, through the use of onboard memory and various plug-in storage media, making it simple to carry around large amounts of data in multiple formats.
There is a perception that the mobile phone platforms are being increasingly targeted by virus writers, making data stored on such devices even more vulnerable. Although an individual's smartphone might be put out of action by a virus, the infection will not spread to impact the organisation to any great degree.
The biggest threat from the smartphone lies in its size - physical and virtual. Physically, most smartphones are still a little larger than mobile phones, usually due to the need for a decent-sized screen - but they are usually smaller than PDAs, and prey to loss or theft. The virtual size, the data storage availability, then becomes crucial - how much sensitive data has the employee placed onboard, and how is it protected?
Similar data-centric arguments apply to USB devices, such as iPods. The convenience of carrying around data has to be weighed against the risk should that same data be accessed on the move by an unauthorised user, or even lost outright. Many security-conscious organisations have taken a simple and direct response to this issue - by blocking the use of such devices entirely.
A simple complementary solution is to require that data should be encrypted, and can only be decrypted on authorised, properly secured resources. Some of the recent scares over data misuse and theft in the US would have been avoided completely if this point had been addressed.
The issue is primarily one of detection, identifying either areas or even individuals that present the greatest likelihood of non-conformance to an organisation's set network usage policies. Detection is a major element in managing the risks posed by consumer electronics in the workplace; it is essential if maverick activity is to be found and dealt with. Some potential problems will be easier to unearth than others. For example, scanning for wireless networks will be considerably less difficult than checking devices such as phones or music players for unauthorised data. Defining the scope of any existing problems can support educational efforts to stamp them out at source - with the employees themselves.
If further remedial action is necessary, restrictions can be placed at appropriate points. For example, locking down/disabling USB points is an appropriate form of access control, and cuts many consumer devices out of the loop entirely.
It is worth concluding with a reminder that the maverick users we may need to control are not necessarily acting maliciously at all - these are individuals trying to boost their productivity and/or make their working lives a little easier, and the odds are that they believe they are showing initiative rather than undermining organisational policy.
These are individuals who should be encouraged to conform to security policy through improved understanding, rather than renegades that ought to be isolated and punished.
The organisation might well have its share of the latter - but we would hope that there is no need to presume the worst from the outset.
Alan Lawson is a research analyst at Butler Group