4. PDAs and smart phones
More and more employees are showing up at work with some form of smart phone or personal digital assistant, be it a BlackBerry, a Treo or an iPhone. But when they try to synch up their device's calendar or e-mail application with their own PC, it can cause problems ranging from application glitches to the blue screen of death. "Those types of problems are not uncommon -- it's the mundane things like that that can drive IT nuts," Holbrook says. "It's not how they want to be spending their time."
Moreover, should the employee quit or be fired, he can walk out the door with any information he wants, as long as the PDA or smart phone belongs to him.
Like some other companies, WebEx minimizes those possibilities by standardizing on a single brand and model of PDA and letting employees know the IT organization will only support that one device. WebEx does the same thing with laptops, which Machado notes, represent an even greater threat than PDAs because they can hold even more data. Any unapproved devices are not allowed on the WebEx network.
5. Camera phones
A hospital worker stands at a nursing station, casually chatting with the nurses. No one notices she's got a small device in her hand, on which, from time to time, she's pressing a small button. A scene from the latest spy thriller? No, a security test conducted by DeKalb's Finney.
"One of the tests I did was to go to take my cell phone to the nursing station and start clicking off photos, unbeknownst to them," she says. "I wanted to download the photos, enhance the images and see what I got -- patient information displayed on computer screens or on papers lying on the desk."
As it turns out, she didn't obtain any personally identifiable information, but she did glean the computer name (not the IP address) from the top of the photographed computer screen.
"That kind of information can add up to clues that can be compiled or combined with other information someone could get from other sources in the facility to build a plan of attack," she says.
As a follow-up, Finney added information regarding this potential security breach to DeKalb's employee orientation and security awareness programs, so people are at least aware of how risky it is to expose sensitive data for others to see -- and possibly photograph.
6. Skype and other consumer VoIP services
Another fast-growing consumer technology is Skype, a downloadable software-based service that allows users to make free Internet phone calls. In fact, 20 percent of the respondents to the Yankee Group study said they use Skype for business purposes.
In a business setting, the threat presented by Skype and similar services is the same as that of any consumer software downloaded to a corporate PC, Holbrook says. "Enterprise applications are highly scalable and highly secure, while consumer applications are less scalable and less secure," he says. "So anytime you download Skype or anything else, you're introducing a security risk that IT is uncomfortable with." For instance, the software can interact with every other application on the PC or network, potentially affecting the performance of every application.
Skype itself has issued at least four bulletins announcing security holes that users can patch when they download the latest version of the software. But because IT often has no idea how many users have installed Skype, let alone who has done it, there's no way for them to police these efforts.
The most secure option, and one that research firm Gartner Inc. recommends, is to block Skype traffic altogether. If a business chooses not to do that, it should actively engage in version control of Skype clients using configuration management tools and ensure that it is distributed only to authorized users, Gartner says.