Employees' Gadgets A Security Weak Link

Businesses face a growing threat, not from outsiders, but from their own workers armed with consumer gadgets, such as flash drives and smartphones.

The risk was prominently spotlighted by the Edward Snowden scandal. Using an easily concealable thumb-sized USB flash drive, the rogue employee was able to steal thousands of top-secret U.S. documents.

For corporate security experts, the surge of tech gadgets just adds to a growing list concerns.

"There's no single point of potential compromise," said Doug Johnson, vice president of risk management policy at American Bankers Association.

Camera, Flash Everywhere

Recent criticism of Google (GOOG) Glass underscores the danger tech devices can pose. Many businesses have already banned the glasses, whose video camera can record everything the user sees. Not surprisingly, banks were among the first to ban them.

U.S. Bancorp's (USB) 2013 employee handbook permits only "authorized parties" to use "photographic equipment" — including cellphones — inside its facilities.

Citigroup (C) has restricted its employees' cellphone and USB port usage, especially important because such ports can be used to charge phone batteries.

The Apple (AAPL) iPhone and other smartphones can store data like a flash drive and come equipped with cameras, microphones and unmonitored Internet access.

While major companies have systems to guard against such breaches, they are by no means universal, said Ira Winkler, president of Information Systems Security Association.

"A lot of companies rely on (their) people to protect them selves," he said. "Companies have to learn they don't dumb down their security policies because someone wants to use a tablet.

A recent PricewaterhouseCoopers study said that the growth of smartphones, tablets, the "Bring Your Own Device" (BYOD) culture and the proliferation of cloud computing have elevated security risks, but efforts to implement mobile security systems continue to fall behind the increasing use of mobile devices.

Even though 47% of the study's respondents use cloud computing, only 18% have cloud security provisions.

'Defending Yesterday'

Mark Lobel, a PricewaterhouseCoopers principal who focuses on cybersecurity, said too many companies are "defending yesterday" — not looking ahead to visualize potential threats.

James Aquilina, a former federal prosecutor who now works at investigation firm Stroz Friedberg, said too many businesses have taken a lax approach toward threats from within — especially when employees are allowed to bring their own devices to work.

"Businesses have basically been quick and somewhat thoughtless to let their employees use their network," he said. "They're not thinking from a threat and control perspective.

For more security-conscious companies, some safety methods include disabling flash drives and placing an encryption mechanism that scrambles the data on those drives should an outside party attempt to access it. Another method is installing a "wipe" function that erases an employee's cellphone memory — with the worker's permission — should the phone be lost, stolen or otherwise compromised.

A multi-layered approach is one strategy that security experts recommend companies use to ward off any threats to their network or other proprietary information, while balancing the needs of employees to effectively do their jobs.

"There's no one control that will keep you safe entirely," said Sujata Ramamoorthy, director of information security at Cisco (CSCO). "It goes back to the level of trust and assurance you build with those users and devices.

Experts said it's critical that companies educate their workforce on security issues — and to make sure that their security technology is both current and isn't canceled out by other network security software.

"Security is only as strong as its weakest link," said Pat Calhoun, senior vice president of network security at McAfee, "but the problem is that companies have a number of products that don't talk to each other."