November 15, 2005 8:30 PM PST

Employee gadgets pose security risk to companies

WASHINGTON--The many gadgets carried around by workers today pose a real security risk to organizations and require action, session attendees at a security conference agreed Tuesday.

Smart phones, handheld computers, thumb drives, digital cameras, iPods and other MP3 players can all connect to computers. That's fine when used at home, but when connected to a work PC, the devices can pose a serious risk, said Norm Laudermilch, chief security officer at Trust Digital, a McLean, Va., mobile security vendor.

Connecting the gadgets to work PCs could lead to a number of unwanted scenarios, Laudermilch said. For example, malicious code that crept onto the device at home could enter the corporate network unseen by the firewall or intrusion detection software, he said.

Also, a disgruntled employee could copy confidential information to the device and walk out with it. Classified information on a mobile device could be a business risk even when used by loyal workers, when their gadget is lost or stolen, for example.

Laudermilch spoke at the annual Computer Security Institute conference here. When he asked the room filled with security professionals if they thought mobile devices were an issue, the vast majority raised their hands.

The advent of mobile devices has changed the way security professionals should think about securing their networks, Laudermilch said. That's because networks change all the time, with different types of devices being added and removed, he said.

"Things change very quickly when devices are so small and just walk onto your network," Laudermilch said. "Your network perimeter is where your data is. I don't care if it is somebody walking in Paris, or somebody sitting at home. The security perimeter has drastically changed."

He also highlighted challenges in securing the portable gear. For one, they all run different operating systems. "We have all been training about the right things and wrong things to do with the Windows operating system," Laudermilch said. For smart phones alone there are at least four common systems: Palm, Windows, BlackBerry and Symbian.

Also complicating security is that new devices come out constantly, with different features. When it comes to phones, operators install their own software image on the hardware, Laudermilch said.

An upcoming class of software can help organizations manage devices on their network, or block the gadgets from connecting altogether. Many of the applications also encrypt data on devices, for security in case of loss or theft. Trust Digital sells such products, as do a host of other companies.

Gartner says mobile data security is a tiny market, but such products are needed to protect user privacy and fulfill audits, according to the analysts. Small incumbent vendors dominate the space, Gartner said in a July report.

"Mobile security today is a buzzword. Tomorrow, six months or a year from now, it is going to be just security. Everything is going mobile," Laudermilch said


Join the conversation!
Add your comment
They already run this story like a month ago?
Posted by Bob Brinkman (556 comments )
Reply Link Flag
and the month before that, and the month..
recurring theme on cnet, ban storage devices of any sort. They are all evil devices that should be done away with >:(
Posted by ScullyB (47 comments )
Link Flag
Run one OS?
So their security mantra is to "run one OS", which I gather is supposed to be Windows, then all will be well with the world? How are iPods and PDA's any different from CD-R's, floppies, zip drives, etc.?

Answer: they all run alternatives to Windows.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
That's what I'm talkin' 'bout
...what about floppy disks? Wouldn't they have been a security risk all this time? Sounds like a little too much techno-paranoia.
Posted by jerrellt (17 comments )
Link Flag
A PocketPC
So, PocketPCs or Smartphones running Windows CE 5.0 aren't running windows?
Posted by ebrandel (102 comments )
Link Flag
Most email webmail accounts allows a few gigs of storage too...
The fact is, unless the user is disconnected from nearly every peripheral and the internet (and they didn't bring anything to write with)there is a risk. But in the scheme of things this is a persistent low ranking one.
Posted by Mister Long Face (1 comment )
Reply Link Flag
Most firms
that take security seriously also block access to most of the free interent email sites (not just the major ones).
Posted by ebrandel (102 comments )
Link Flag
Too easy
Back in the days of the first pentium, it was easy to stop people from copying stuff onto a disk, simply remove the disk drive. Now, it's just too easy to copy files to a usb drive or some other device or even just send it to yourself using the internet.

To really be 100% safe, data has to be paired with software so with out the proper software, the data can't be read and the proper software won't run on any machine, but only a work machine. That way people can have their toys and IT doesn't have to worry about people stealing data or software for that matter.
Posted by thedreaming (573 comments )
Reply Link Flag
Been true for the last 20 years.

Nothing new here ... just a little easier now.
Posted by open-mind (1027 comments )
Reply Link Flag
Irrelevant , Alarmist Story
... anything with a flash chip, the size of a thumbnail, can be used on anything. ...

This is one of THE stupidest stories this week.
Posted by Thomas, David (1947 comments )
Reply Link Flag
What Really Chaps My Backside ...
The headline under which this story stored ... "Ban the iPod at Work?"

What the ---ck are you talking about. Lets ban, all media ... PAPER POSES A SECURITY RISK ...

This story is just dumb, dumb and dumber. C/NET hire some REAL reporters.
Posted by Thomas, David (1947 comments )
Reply Link Flag
Paper vs iPod
What's easier? Copying 4 Gigs of sensitive corporate material onto an iPod, or printing it all out onto paper?

And what would do more damage to a company? Printing out some expense reports or internal financial information, or performing a backup of a SQL DB onto an iPod and taking a companies complete sales history and customer list?
Posted by ebrandel (102 comments )
Link Flag
Great, ban all the media and gadgets you want - they are not the
issue. If I want to take information out the front door of a
company I can do it without using technology. Paper makes a
nice medium. Most companies have guards that "inspect" stuff
going out the door which means they glance at things from 5
feet away. Unless you follow a nothing in/nothing out policy you
are going to have potential leakage.

Further, many companies, including the one I work for, have
employees that use company laptops, mobile phones, etc. That
represents a huge opportunity for leakage as well.

Train your people on what the issues are, give them reasonable
policies that allow them to bring music players, etc into work,
and by and large people will make the right choices.

I think they call it trust.
Posted by neocliff (22 comments )
Reply Link Flag
Humans are the security risk
Human behaviour is the risk, not the gadget. Following the same line of reasoning you could ban cars, airplanes, McDonalds, chewing gum and stairs. Come on C|Net, we can expect SOME intelligence with your reporters?
Posted by tennapel (22 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.