Using peer-to-peer (P2P) file sharing applications on the job raises the risk that confidential data residing on a user's PC might be inadvertently exposed to a cybercriminal, says the head of a security vendor.
It's tricky to prevent employees from using P2P applications at work, and besides, imposing a corporate policy to prevent them from using these networks is not necessarily the best approach, said Todd Feinman, CEO of security technology provider Identity Finder, a division of Velosecure.
Another useful policy is for employees to be aware of what actually lives on their systems, said Feinman.
"These employees don't realize that such sensitive information exists in their files," he said, adding that if the threat doesn't stem from P2P applications then it'll surely be from another.
Feinman said the enterprise edition of the company's security software, Identity Finder, is intended to help businesses search and secure confidential data residing on user systems, like employee identifications, telephone numbers, passwords/PINs, dates of birth, and Social Insurance Numbers.
It works by automatically trolling a user's computer system in places like a Web browser's auto-complete fields, Web pages and cookies, instant messenger logs and compressed files. The software can be customized to identify certain types of data, and the process doesn't require users to enter specific information about themselves, the company, or a customer. "
Once done, the user receives a report as a means to preview the action to be applied to the identified data.
Feinman said employees can use the software on individual systems, or IT administrators can apply the tool on the back end, by way of admin privileges, to scan file systems or e-mail clients of remote network computers. "[The latter is] a good approach because having all that information in one place allows you to run a report and say, 'Here's how much we're at risk.'"
However, he cautioned the sole downside to the backend approach is the inability on the part of the IT admin to take action on identified data. In this instance, IT can use the quarantine function to move data to a central server in case it needs to be restored to the user.
More often, though, Feinman observed IT admins including it as an extra feature on builds and computer images so employees can run it on a regular basis, while IT supports it.
Feinman suggests the following security process around Identity Finder: deploy the software, push it out to employees, customize it to individual needs, set a regular schedule to run a system search, and set pop-up reminders for action to be taken on identified data.
It's necessary that security measures be holistic, encompassing software, process and behavior, said Carmi Levy, senior vice-president of strategic consulting for AR Communications "It's one thing to implement the tool, it's a quite another to make sure all employees at all levels of the organization understand all the threats that expose the organization to unnecessary risk."
Identity theft is that "big breach right now", said Levy, adding that companies should indeed consider the risks of P2P applications. However, he noted that threats have merely morphed over time: a decade ago, the same dialogue centered on instant messaging, and later it became about Web 2.0-based applications. "At any given time in the history of the IT department, there will always be a new technology that raises fears."
Levy ventured to add that at the very least, IT departments would consider Identity Finder as an addition to its security arsenal.
However, he cautioned the software is a "fairly small utility type application", and not an enterprise-class solution considering its origins as shareware. Although the tool doesn't have the scalability of Norton-based software, he added "it certainly does plug some holes at the desktop level that enterprises up till now have not been able to plug on their own".
Given industry interest in combating identity theft, Levy is encouraged by the software's entrance into the enterprise sphere nine months ago, following a lengthy presence in the consumer space. If anything, he added, the new market entrant raises awareness around identity theft and raises the issue's level of importance to that given to virus and spyware protection.
But because prevention of identity theft is very much a behavioral issue, Levy said the danger is that a short-sighted IT manager might believe this software alone has covered all the business' security bases.
Licenses for Identity Finder are based on the number of employees. According to Feinman, the tool has the scalability to support both small and large-sized businesses, adding that it has been "rolled out to tens of thousands of machines."