Security Watch | Matt Hines » Study - Unapproved apps costly to security

October 16, 2007 | Comments: (0)

Study - Unapproved apps costly to security

TAGS: Security

You might want to stop using Skype, BitTorrent and Worlds of Warcraft at the office, unless your IT department has approved the technologies (or if, you know, you actually want to get any work done).

FaceTime Communications has published its third annual report on security costs related to the use of so-called greynets -- identified by the company as consumer-oriented communications applications dragged into the workplace without permission from IT -- and the security company maintains that the technologies are currently costing enterprise customers roughly twice as much as one year ago.

According to FaceTime's yearlong survey of 700 employees and IT managers regarding their use and tolerance of greynets, it is nearly impossible to find an enterprise where the applications aren't popping up all over the place.

The report finds that there were an average of nine greynets in use within each of the enterprises interviewed for the study, with 99 percent of IT managers reporting the use of at least one greynet in their organizations (and those are only the ones they actually know about).

Even worse, the applications -- which FaceTime calls out for posing "myriad network and information security risks" related to malware, intellectual property loss, identity theft and compliance risks -- are leading to real attacks, as nine out ten respondents to the survey reported that their company has dealt with a greynet-related security incident sometime in the last six months.

Meanwhile, only three percent of those participating claimed to have avoided greynet-related security problems altogether.

While FaceTime includes applications such as IM and VoIP which are often allowed by IT departments in its study, the company warns that less savory tools such as P2P file sharing systems, video streaming tools, and IP address "anonymizers" shouldn't be allowed by anyone looking to keep their networks protected.

And even in the case of IM and VoIP systems such as Skype, the company is reminding security workers looking to ban the applications that they often "circumvent the traditional security infrastructure designed for e-mail and standard Web traffic."

Based on the survey, the average cost companies have incurred in repairing any damage from greynet-related security incidents on company PCs has more than doubled over last year. Those IT managers surveyed reported that is cost them an average of almost $289,000 to repair or re-image PCs after malware attacks over greynets in the last year alone. The cost reported in the 2006 greynet study charted an average financial impact of only $130,000 per year.

On average, the report contends that IT managers experience nearly 39 greynet-driven incidents per month that require their attention, costing them roughly nine hours of work.

One of the biggest problems with the tools appears to be that end users seem willing to continue to use the technologies even after being told not t do so.

For instance, some 80 percent of IT managers surveyed labeled anonymizers -- which permit anonymous use of the Internet -- as "risky" to corporate networks. Yet, some 57 percent of end users responded that the tools aren't dangerous.

Even with IM, perhaps the most innocuous of the applications (outside of tightly regulated or protected environments where it is forbidden) appears to strike IT workers and end users differently. Some 40 percent of IT managers responded that they feel that public IM use at work poses "serious risk," while another 46 percent said that IM poses "some risk," for a total of 86 percent.

Overall, 36 percent of the employees surveyed said that they have the right to download any tools that help them do their jobs, with 40 percent claiming that they already need the additional programs to do so.

Another problem highlighted in the study is the blurring of the line between personal and work devices -- which FaceTime names as one of the most significant greynet risks. Some 85 percent of those interviewed admitted that they use their work PCs for "personal, non-work purposes."

"This suggests to us that work-provided machines are being used more than ever to download whatever these users feel they need for their work and personal lives with little regard to policies or security," said Frank Cabri, vice president of marketing and product management for FaceTime. "Often times this perception among workers is at odds with what IT people want, which is some level of ability to control, monitor and manage what people are doing on their work PCs."

Cabri contends that companies need to do a better job of keeping workers informed of their policies related to greynet usage, and to implement technological means to try and block the use of applications -- when it seems feasible.

"These IT shops need to understand what employees feel they need to be productive and give them alternatives, sending an IM to a friend probably shouldn't be a violation unless you're working in an industry that forbids it through some type of regulation," he said. "What his problem truly warrants is understanding from both sides to better understand all the needs and risks involved."

"Most people don't intend to download malware intentionally, but they also have to know what clicking on a URL or IM could do to their organizations, and if a company can't get people to change their behavior, they should implement applications control tools and other filters to enforce their policies in real time," said Cabri.

"There's no one way to handle this problem, but if you can use something to let people know that you're watching when they do something that violates policy, there's a much better chance that people will change their behaviors."

Posted by Matt Hines on October 16, 2007 01:33 PM

RATE THIS ARTICLE: