Home » Data Protection » Wireless/Mobile

Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

These kinds of scams frequently snare people who are in a hurry and will disregard something that looks a little unusual in their haste to get online. Educate employees to use wireless carefully and to avoid sending company confidential or sensitive information over wireless unless it is absolutely necessary and the system's safeguards have been approved by corporate security.

Peer-to-Peer and Web-Based Services The casualties of convenience. Peer-to-Peer (P2P) technologies and Web-based services are different animals, but they have three important qualities in common. These tools and programs are easily downloaded by employees, they frequently offer what workers see as a useful productivity-enhancing service, and most of them tunnel right through the corporate firewall, bypassing all security measures.

Take GoToMyPC, a Web-based service owned by Citrix Online. An employee can download the GoToMyPC software to his office PC, and it allows him to access the contents of his office workstation remotely from any PC connected to the Internet by typing in a user name and password. The GoToMyPC folks have published a 10-page white paper touting their security, but some basic control issues exist that should concern security executives. First, no matter how secure the program is, the security and network data are out of the CSO's direct control. Second, security executives have no control over the machine that the employee uses to remotely access the corporate network. It could be an Internet cafÃ© where a hacker has installed keystroke loggers, or it could be a home PC using an unsecured wireless network. P2P technologies such as Instant Messenger and Skype are just as alluring and raise the same questions.

At First Data, Mellinger uses a proxy server from Blue Coat Systems to limit these kinds of external connections. Blue Coat enables Mellinger to control certain kinds of connections and provide appropriate warnings for others. Of course Mellinger doesn't want to interfere with the regular course of business, so he cautions that you have to work through the kinks with any product to ensure that employees can still access all the tools they need. "We have lawyers who need to go out and look at certain sites that we would otherwise not allow employees to visit," he says. Mellinger and his team are fine-tuning Blue Coat to match their exact needs.

At ARC, Bhatt has found that communicating with his employees is an effective way to deal with a lot of the P2P and Web activity. "Almost 100 percent of the time, people are just trying to get something done," says Bhatt. He tells employees that he wants them to feel comfortable asking questions about new products and online services without fear that they will be frowned on. If there is a cool new service that an employee wants to use, security will check it out; if they're not comfortable with that system, they'll seek a secure alternative. If there is none, security will explain why not and why that kind of activity puts the company at risk. "When users know what the danger is, it works well," says Bhatt.