Now that the holidays are over, countless workers of all stripes will be bringing in their latest gizmos to show
off, play with, and provide one more thing for networking pros to lose sleep over. With a little preparation and some sensible corporate policies, the risk these devices pose can be mitigated.
The primary threat posed, according to several experts, is the potential for data leakage as more and more devices contain mass storage drives. A new Ashton, Metzler & Associates study, sponsored by network management provider Netscout, found that more than half of 396 networking professionals said that employee-owned USB flash drives have a moderate or significant impact on IT infrastructure.
The survey also revealed that about 40% of respondents expected smartphones to moderately or significantly affect their infrastructure.
As these devices become more powerful, they also become larger targets for malware that can eventually find its way onto the corporate network.
Many employees use these personal devices for work, which means they often contain critical data: contacts, memos, PowerPoint presentations and databases. Much like other mass storage devices, a misplaced iPhone could put sensitive information into the wrong hands.
Maiwald said the threats go both ways and are often unintentional. A simple USB stick could bring a nasty virus variant from an infected personal computer, or it could be used to conveniently transport thousands of employee social security numbers – before being lost in the parking lot.
One key to combating these risks, Maiwald suggested, is to create a comprehensive corporate policy. But don't stop there. IT managers need to educate users about that policy.
"What is it that we're going to allow, and what is it that we're not going to allow," he said. "If we're going to allow personal devices on the network, then hav[e] some … education in place saying this is how we're going to deal with this."
There could be good reasons not to allow these devices at all. Dan Fontenot, IT manager for Arlington, Texas-based Shioleno Industries Inc., said he used Microsoft Active Directory to lock employees out of any devices or drives they might write to. Shioleno Industries produces custom wood and metal manufacturing and design.
"Our [policy] is as much about trying to keep information from going out as it is from going in," Fontenot said. "We spend a lot of money [on custom software] to develop products and develop them quickly. The last thing we want is someone to carry that knowledge to someone else."
Fontenot said the policy works well despite some employee grumbling on general security measures. When employees need to use a device -- for example, burning a CD for a presentation – temporary access is granted and then withdrawn.
Such lockout policies come at a steep price in convenience for users, according to Maiwald, but he added that most of the alternatives were fallible.
"USB sticks are used for a reason. I've lost that usefulness [if external devices are prohibited]," he said. "There are some products that look at the data that moves between a PC and anything else [email, file transfers, etc.], but they have to know what to look for. If they don't know what to look for, they're not terribly helpful."
The mass storage threat may be proliferating, but it will not come as news to most IT organizations. In last year's SearchNetworking survey, protecting critical data was the top security priority for 24.87% of readers.