By Will Sturgeon, 6 April 2005 16:15
NEWS With each update and new launch the Apple iPod continues to break its own sales records but awareness of the threat the must-have device poses to companies is still very limited.
And iPods are just the most famous tip of the iceberg. Companies are also failing to clamp down on the use of USB memory keys and many other removable storage devices – all of which have the potential to either unwittingly or maliciously undermine a company in the wrong hands.
According to recent research 87 per cent of companies have failed to prevent the unauthorised introduction of such devices onto the network – this is despite 51 per cent of respondents saying they are aware of the risks posed.
More than a third of respondents (36 per cent) said they don't feel portable media devices are a concern – which may be true for the majority of the time but according to Andy Burton, CEO of asset discovery and audit firm Centennial Software, who commissioned the research, it only takes the one instance of abuse to seriously threaten a business.
Burton told silicon.com that by and large "there is no business case for connecting an iPod at work". He said companies should therefore give serious consideration to whether any level of risk is worth assuming as the liberation of up to 60Gb of data from any organisation can pose a very real threat.
Burton said in instances where some departments or individuals do have a business case for using iPods – such as radiologists in one hospital in the US, as reported by silicon.com – these are specific permissions which should be switched on in isolation, not as a rule across the whole organisation.
Burton said the issue shouldn't be seen as a thorny one of handing down draconian measures to staff but simply as common sense and business best practise – especially in an age of compliance where directors have to offer guarantees relating to the nature of activity on their networks.
The threats relating to iPods and other MP3 players range from the introduction of copyrighted media onto the corporate network for which the company becomes liable, to the theft of business critical data, which is a threat in common with other removable devices.
Interestingly though, most respondents classified the greatest threat as the introduction of malicious code which could be accidental or an intended act of sabotage.
Many companies have been tolerating the use of removable media on their networks for some time now, largely because they didn't spot the threat early on and acceptance has become rife.
Speaking at the e-crime Congress in London, Neil Fisher, director of security strategy at QinetiQ, said: "Where new technologies are concerned businesses are very slow to pick up on the risks. The security issue is not really thought about early enough."
Comments
There are 10 comments. Join the discussion
1. anonymous
As usual security reports highlitgh the wrong issue (so that they can attract more readers thanks to "iPod" being in the title)
Anyway, just as banning cameras on site is not going to ensure security, putting focus on USB drives is not going to help companies either.
Focusing on "cameras" hides the fact that these companies should instead focus on not having their trade/manufacturing secrets in plain sight.
Just the same way, companies should focus on protecting sensible information on their networks rather than focus on USB ports: either the person has access to sensitive info or not (Ed note. But what if it is sensitive data they need to see on a day to day basis, such as a salesperson working with a database of sales leads? Your assumption is that untrustworthy people would only covet areas of the network they should reasonably be denied access to, which is wrong. By stopping that person bringing in large personal storage devices you at least limit the liability.); if the person has access, the info can get out of the system one way or another; the USB drive just makes it easier than using DVDs, CDs, floppies, paper or good old memory.
2. Simon
Someone change the record please, it's getting old hat to put iPod in the title just because it's the 'cool gasget du-jour'. The article is absolutely nothing about iPods, but about storage devices in general (as is acknowledged if you get as far as the second paragraph.
As a previous comment points out, there are many, many way to get data out of a system - and perhaps the best way to prevent it is to restrict access appropriately. Yes, a salesperson may need to use a client database daily, but they shouldn't need to be able to copy the file holding the data.
And contrary to what some people would tell us when trying to sell their latest snake oil, oops, security product, if you can't trust your staff ...
3. Bob Hail
The weakest security link is the Human Element, removing these from your company would guarantee no breaches.... No sales, no fun. Why can't everyone take a balanced approach to security. If you are hiring people that are likely to steal from you then they will, whether or not they have an iPod.
4. Richard Sheppard
First, identify your "precious" data:
Recently I tried to help a medium sized organization to write its "User Policies."
However, although they handled some highly sensitive personal and financial data, they had no concept of giving this data any special classification or "protective marking."
They had no policy about who could access particular data; either on paper or electronically.
Inevitably the organization tried to protect everything, and failed.
Different departments worked to different rules.
People who really needed access to sensitive data were denied it.
With such organizations, it is vital first to decide the overall data policy before worrying about individual potential threats.
5. anonymous
Though I agree with the "if you don't trust them - don't give them access" points made, I work for a company which has banned iPod connections to company workstations for the reasons of file legality.
One user in our instance was maintaining 40GB of music on their local hard drive. Another complained at losing their music collection when their HD failed, principally because they hadn't got another copy!!
From my point of view the issues are more of supporting hardware and data which has no business merit.
6. Alan Keen
I agree with those who think that this is a fuss about nothing - or at least about the wrong thing. I work for a large organisation which is by no means unique in issuing all its staff with laptop computers - which they are encouraged to take home with them each night. Why worry about staff copying data on to an iPod in the office when they can copy data from the network to their hard disk and then take it home, connect to the home network and send it wherever they want!
7. Mickael Behn
I think the biggest Security risk is stating that the iPod is a security risk in the headline. I think I’ve seen this same article some 5 times with security risk and iPod in the headline. Anything is a security risk, and if someone really wants something they will find a way to get. For example is Paper and a Pen a security risk? Yet people could write down what they see in files, that’s a security risk. So let’s ban pen and paper. Printers, they could print out the info, another Security Risk; let’s get rid of that too.
Simple Security is limiting sensitive file information to (a) a limited group (b) a trusted group.
Preventing everyone access to every file, is probably a go move as well. So, that a 6 year old with an iPod doesnt connect his iPod to a company computer; and copy all the files to it.
I am really disappointed with all the security "scare issues" because i really thought people here where smarter then that.
8. David MacLeod
Yes, but when the guys at the top have them, what chance do you have of outlawing them?
9. David MacLeod
Yes, but when the guys at the top have them, what chance do you have of outlawing them?
10. anonymous
For some time there has been significant worry about high-capacity, portable media devices such as key fobs, DVD burners, MP3 players, and iPods. While iPods running special software to seek and download confidential information is a newer twist, it shouldn't be shocking. People have been making modifications to all sorts of things, even game consoles, for years with the intent of hiding the true operation of a device.
An iPod may pose a more significant threat because most people wouldn't think twice about seeing an iPod connected to a computer; it has become commonplace. However, the bigger issue is identifying which assets on your network are critical, taking the appropriate steps to make them secure and control access to said assets. In addition to preventative measures, an overall solution must be coupled with detective techniques to audit and monitor all the moving parts. Limiting what people attach to the network can be helpful, as can separation of duties, least privileges and need-to-know access, but in most mid-sized to large organization, these concepts rarely have holistic coverage. Because in the "real world" preventative measures rarely scale, monitoring is especially important, and detection becomes supreme.
With the right level of preventative and detective measures in place for a particular organization, removable media becomes a less critical issue, and employees can still take advantage of products like iPods while maintaining the security integrity of the organization.