In Depth

Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

By Daintry Duffy

August 01, 2005 — CSO — Technologiesâ¬particularly those marketed to the individual consumerâ¬are evolving rapidly and in unpredictable ways. Since we wrote in 2002 about eye-catching technologies that bedevil CSOs (see www.csoonline.com/printlinks), cell phones have morphed into multifunction devices incorporating PDAs, cameras and MP3 players, leaving a trail of obsolete acceptable-use policies in their wake. This places security executives in the uncomfortable position of trying to set controls on a constantly shifting and mutating target.

The trickiest aspect of the problem is that many of these technologies are valuable business tools when used with the appropriate security controls. However, all too often, eager employees purchase, download or otherwise acquire these groovy gadgets and programs, and enthusiastically integrate them into their work environment, heedless of the holes they are punching in the company's security net.

Take Skype, the free, downloadable Internet telephony system that launched in August 2003. Skype users can make free phone calls to other computers all over the world. A great idea, right? Not if you work in security, because Skype encrypts all of its traffic and skirts firewalls. That's a bonus for users, but a nightmare for CSOs who can neither monitor nor stop the traffic. In the 51 days following Skype's launch, the company registered an impressive 1.5 million downloads and 100,000 simultaneous users. When programs like this catch on, they spread like dandelions in spring. At its one-year anniversary, Skype boasted approximately 9.5 million subscribers and 1.5 million users per day.

So how does a CSO kill the weeds without burning the grass? We took a look at four rowdy technologies: camera phones, portable data storage devices, wireless computing and the joint threat posed by peer-to-peer technologies (P2P) and Web-based services. They are well-meaning and widely used tools that can be office assets, but also can wreak havoc when used carelessly or maliciously. We sought the advice of security executives and other experts on the best steps to take to establish some control in the midst of the chaos.

Camera Phones Prying Eyes. At many companies, a camera phoneâ¬great for office party snapshots or for capturing an interesting presentation slideâ¬wouldn't raise an eyebrow. At Cardinal Health, cell phones equipped with cameras are a physical security threat.

Cardinal Health has its hand in almost every facet of a drug's lifecycleâ¬from development, manufacturing, packaging and delivery to pharmaceutical distribution. To allow photographs of how valuable drugs move through these stages could create security vulnerabilities. Cardinal Health also handles personal medical information that falls under Health Insurance Portability and Accountability Act regulations. "To allow cameras anywhere near the process, from when we receive [the product] to when we deliver it to the end users, would be a huge vulnerability, and it's not one we're willing to accept," says Tim Gladura, the company's CSO.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Security Measures for Camera Phones
• Security Measures for Mini-Storage Devices
• Security Measures for Peer-to-Peer and Web-Based Services
• Security Measures for Wireless