Employee gadgets pose security risk to companies

WASHINGTON--The many gadgets carried around by workers today pose a real security risk to organizations and require action, session attendees at a security conference agreed Tuesday.

Smart phones, handheld computers, thumb drives, digital cameras, iPods and other MP3 players can all connect to computers. That's fine when used at home, but when connected to a work PC, the devices can pose a serious risk, said Norm Laudermilch, chief security officer at Trust Digital, a McLean, Va., mobile security vendor.

Connecting the gadgets to work PCs could lead to a number of unwanted scenarios, Laudermilch said. For example, malicious code that crept onto the device at home could enter the corporate network unseen by the firewall or intrusion detection software, he said.

Also, a disgruntled employee could copy confidential information to the device and walk out with it. Classified information on a mobile device could be a business risk even when used by loyal workers, when their gadget is lost or stolen, for example.

Laudermilch spoke at the annual Computer Security Institute conference here. When he asked the room filled with security professionals if they thought mobile devices were an issue, the vast majority raised their hands.

The advent of mobile devices has changed the way security professionals should think about securing their networks, Laudermilch said. That's because networks change all the time, with different types of devices being added and removed, he said.

"Things change very quickly when devices are so small and just walk onto your network," Laudermilch said. "Your network perimeter is where your data is. I don't care if it is somebody walking in Paris, or somebody sitting at home. The security perimeter has drastically changed."

He also highlighted challenges in securing the portable gear. For one, they all run different operating systems. "We have all been training about the right things and wrong things to do with the Windows operating system," Laudermilch said. For smart phones alone there are at least four common systems: Palm, Windows, BlackBerry and Symbian.

Also complicating security is that new devices come out constantly, with different features. When it comes to phones, operators install their own software image on the hardware, Laudermilch said.

An upcoming class of software can help organizations manage devices on their network, or block the gadgets from connecting altogether. Many of the applications also encrypt data on devices, for security in case of loss or theft. Trust Digital sells such products, as do a host of other companies.

Gartner says mobile data security is a tiny market, but such products are needed to protect user privacy and fulfill audits, according to the analysts. Small incumbent vendors dominate the space, Gartner said in a July report.

"Mobile security today is a buzzword. Tomorrow, six months or a year from now, it is going to be just security. Everything is going mobile," Laudermilch said

[Bob Brinkman]

didn't..

They already run this story like a month ago?

[ScullyB]

and the month before that, and the month..

recurring theme on cnet, ban storage devices of any sort. They are all evil devices that should be done away with >:(

[R. U. Sirius]

Run one OS?

So their security mantra is to "run one OS", which I gather is supposed to be Windows, then all will be well with the world? How are iPods and PDA's any different from CD-R's, floppies, zip drives, etc.?

Answer: they all run alternatives to Windows.

[jerrellt]

That's what I'm talkin' 'bout

...what about floppy disks? Wouldn't they have been a security risk all this time? Sounds like a little too much techno-paranoia.

[ebrandel]

A PocketPC

So, PocketPCs or Smartphones running Windows CE 5.0 aren't running windows?

[Mister Long Face]

Most email webmail accounts allows a few gigs of storage too...

The fact is, unless the user is disconnected from nearly every peripheral and the internet (and they didn't bring anything to write with)there is a risk. But in the scheme of things this is a persistent low ranking one.

[ebrandel]

Most firms

that take security seriously also block access to most of the free interent email sites (not just the major ones).

[thedreaming]

Too easy

Back in the days of the first pentium, it was easy to stop people from copying stuff onto a disk, simply remove the disk drive. Now, it's just too easy to copy files to a usb drive or some other device or even just send it to yourself using the internet.

To really be 100% safe, data has to be paired with software so with out the proper software, the data can't be read and the proper software won't run on any machine, but only a work machine. That way people can have their toys and IT doesn't have to worry about people stealing data or software for that matter.

[open-mind]

DUH

Been true for the last 20 years.

Nothing new here ... just a little easier now.

[Thomas, David]

Irrelevant , Alarmist Story

... anything with a flash chip, the size of a thumbnail, can be used on anything. ...

This is one of THE stupidest stories this week.

[Thomas, David]

What Really Chaps My Backside ...

The headline under which this story stored ... "Ban the iPod at Work?"

What the ---ck are you talking about. Lets ban, all media ... PAPER POSES A SECURITY RISK ...

This story is just dumb, dumb and dumber. C/NET hire some REAL reporters.

[ebrandel]

Paper vs iPod

What's easier? Copying 4 Gigs of sensitive corporate material onto an iPod, or printing it all out onto paper?

And what would do more damage to a company? Printing out some expense reports or internal financial information, or performing a backup of a SQL DB onto an iPod and taking a companies complete sales history and customer list?

[neocliff]

Pointless

Great, ban all the media and gadgets you want - they are not the
issue. If I want to take information out the front door of a
company I can do it without using technology. Paper makes a
nice medium. Most companies have guards that "inspect" stuff
going out the door which means they glance at things from 5
feet away. Unless you follow a nothing in/nothing out policy you
are going to have potential leakage.

Further, many companies, including the one I work for, have
employees that use company laptops, mobile phones, etc. That
represents a huge opportunity for leakage as well.

Train your people on what the issues are, give them reasonable
policies that allow them to bring music players, etc into work,
and by and large people will make the right choices.

I think they call it trust.

[tennapel]

Humans are the security risk

Human behaviour is the risk, not the gadget. Following the same line of reasoning you could ban cars, airplanes, McDonalds, chewing gum and stairs. Come on C|Net, we can expect SOME intelligence with your reporters?