IT Strategy: When consumer IT enters business, so does the risk of cyberattack

At first glance there would appear to be little to connect
Apple’s iPad and the Greek’s Trojan horse. After all, centuries separate the two
creations. The Trojan horse described in Virgil’s Latin epic poem The Aeneid was
wheeled into Troy in the Bronze Age: Apple’s much-hyped tablet device signifies
cutting-edge, 21st-century computing technology.

But the two creations are indeed linked. The Trojan horse was wheeled into
Troy after the Greeks pretended to give up their ten-year siege. It contained
soldiers who were able to open the gates to their hidden army, who as we know,
went on to sack the city.

Though not made of wood, horse-shaped, or containing hidden Greek warriors,
the seemingly innocuous iPad together with a gaggle of smartphones, PDAs,
netbooks, laptops, media players and other portable consumer electronics
products will similarly, inevitably be welcomed into businesses. But when
connected to business-critical computers and networks, they will open what could
be potentially dangerous back doors to malware and cybercriminal attacks.

The phenomenon of consumer IT entering businesses in this way is far from new
and the powerhouse behind the trend currently is, of course, the internet, which
is facilitating the convergence of computers and traditional consumer
technologies such as video and music. But the trend is gaining momentum. Ever
more powerful and sophisticated consumer devices that are widely distributed
today constitute a potent and growing threat.

Portable devices that have enough memory for high-definition videos also have
enough memory to harbour malware and discreetly steal sensitive data. Staff
setting up unauthorised WiFi networks in offices has long been problematic, as
hackers can exploit the soft underbelly presented by poorly-secured wireless
equipment.

And it is not just consumer hardware that poses a clear and present danger.
Let’s not forget the use of consumer websites and applications in the office.
MySpace and Facebook are insanely popular as are web-based email accounts such
as Hotmail or Gmail. Instant Messaging (IM) services such as Aim, Googletalk,
Windows Messenger and suchlike are similarly ubiquitous. The fast-growing trend
of delivering software over the internet cloud means companies are running many
applications on their systems that they do not know about and cannot control.

The obvious answer is to simply block these devices and websites. If staff
were blocked from connecting their phones and media players to work PCs, and
could only access approved websites, the potential for malware, hackers and
cybercriminals to infiltrate is greatly reduced.

But the obvious answers are often not the right answers. In the case of
consumer electronics, a prohibition approach is likely to be as successful as
banning alcohol in 1920s America. Technology and business experts agree that the
genie cannot be put back into the bottle.

Indeed, consumer-orientated technology is here, it’s not going away and
businesses must embrace it or risk losing vital competitive advantage, according
to research company Gartner. It predicts that, at least up until 2012, most of
the new information technology that companies will adopt will have their origins
in the consumer space in a kind of ‘trickle-up’ process.

The message is clear: assume your business has all ­ or at least most ­ of
these technologies in place already, whether they are wanted or not. No one can
effectively ban them and there is no point in pretending it isn’t happening,
either. It is important not to forget that, a few years ago, there was much
beating of breasts and gnashing of teeth as businesses wondered if allowing
staff to have internet access in the office would adversely affect productivity.
It would be all but inconceivable for a company today to ban internet access
simply because employees may send a few personal emails.

Similarly, companies should think very carefully before locking out the
potentially productive collaboration and communication medium offered by IM or
social networking. And then there is the human question: banning such services
is likely to impact on a company’s ability to hire and retain young, talented
and computer-savvy workers.

Pragmatism is the order of the day. Companies should look at their businesses
and see if they can benefit from adopting these emerging technologies. Could
mobile sales staff function more effectively with iPhones? Can web 2.0 social
networking technologies improve collaboration and communication?

However, throughout these evaluations companies must not lose sight of
potential security problems associated with the introduction of new technologies
as most consumer-grade services are not designed from the ground up with the
high security requirements enterprises need. This means that IT departments must
be able to audit the use and introduction of new services and rigorously lock
down any associated security issues.

It is said that those who fail to learn the lessons of history are doomed to
repeat its mistakes so, the message for companies is clear: beware of geeks
bearing gifts.