Affordable consumer technology causes problems for businesses

Some industry experts would argue that consumer technology competing with business-focused technology isn't a new trend at all - with some of the earliest PCs developed in the 80s occupying a limbo between fledgling business and home use. But it's fair to say that the integration of IT into almost every aspect of our personal lives - from online dating to in-car satellite navigation devices - has fundamentally changed expectations of technology design and user-friendliness.

The implication of this trend for IT departments is profound, not just in terms of procurement but, more importantly, for security. Enterprise networks used to be effectively ring-fenced by the fact that for a long time consumer gadgets were expensive, rare and, crucially, not mobile. Now the average staff member could bring tens of gigabytes of storage into the organisation in the form of their MP3 player, USB stick or mobile phone, storage that could be used to steal corporate data or upload malicious code.

"Offices are full of employees' personal technology, such as iPods, laptops, mobile phones, Bluetooth headsets and USB drives. This is in contrast to ten years ago, when technology tended to travel from the office to the home, and to some extent it still does," says former National High Tech Crime Unit detective Geoff Donson, now security manager for hosting company, Telecity Group.

Confronted with the reality that, gigabyte for gigabyte, company-owned IT could actually be equalled or even outnumbered by the amount of consumer devices in the average office, traditional ideas of how to secure corporate networks are being forced to react and evolve.

One option could be to erect a metal-detector in the company foyer and ban all non-approved gadgets from the office. "Some companies are simply banning the use of personal technology in the workplace for fear of the main concerns above. This is especially the case in many sensitive government premises," says Donson.

Aside from the practicalities of policing such a ban, it's not really an option that most IT managers can resort to, given the obvious human resource, not to mention recruitment and marketing challenges that would be thrown up once the news got out that the company was clamping down on employee freedoms.

A less draconian step would be to just ban the use of consumer technology for business use - as opposed to banning devices from being taken into company premises altogether - but even this is a decision that should not be undertaken lightly, according to experts.

"Obviously it's not a good idea to take a 'blanket ban' approach to the use of personal technologies within the workplace - it's a very Luddite approach to the future. The companies out there who do take this route, including those who have been hit by phishing attacks or data losses, will find they will come under increasing pressure to take a more open approach as the internet generation enters the work arena and demand for the use of Generation Y technology in the workplace soars," says former counter-terrorist army officer Neil Fisher, now vice president of global security solutions for Unisys.

Michael A Mason, former FBI agent and now chief security officer at Verizon Communications, agrees with the view that a total ban on consumer technology would not only be hard to enforce but could actually have a negative impact in terms of productivity.

"I do not believe it is a good idea to summarily ban the use of personal technology in the workplace," he says. "A better strategy might be to determine how this technology can be exploited to advance the objectives of the business. These devices are ubiquitous, especially with young people, and banning their use might not be the most effective strategy."

If companies do opt to acquiesce and accept that consumer technology isn't going away, what are the steps that can be taken to make sure the devices are not only as secure as possible but can actually be harnessed to improve productivity?

According to Donson, companies should take a pragmatic approach, through sensible usage policies combined with proactive network monitoring and getting employee buy-in. "This is far more effective than confiscating mobile phones at the front door. Companies can implement a number of tools or tactics, monitoring software that takes consumer technology into the workplace. By effectively turning consumer devices into terminals that access a virtualised instance of the employee's desktop hosted on a server, along with central network drives for all company data, company applications and data can be accessed through a browser without any real interaction with the consumer device.

This approach is already being used internally by around 400 staff at virtualisation specialist Citrix. The company launched its 'bring your own computer' (BYOC) to work scheme in September 2007 (see box, p28). It uses the company's XenApp technology to allow employees to access company applications while keeping the actual consumer device at a virtual arm's length from the corporate network.

Providing that this trend towards consumerisation continues - and there is nothing to indicate that it will slow down - what will the average corporate IT department look like in ten years' time - and what will it mean for those charged with managing IT security?

"In the future, I see security becoming more focused on the individual, with increased authentication of devices - we're already seeing some laptops requiring finger or face identification as proof of ownership and I expect enhancements in biometric technologies to fuel this trend over the next few years," says Fisher.