iPod security still a stumbling block for firms

With each update and new launch the Apple iPod continues to break its own sales records but awareness of the threat the must-have device poses to companies is still very limited.

And iPods are just the most famous tip of the iceberg. Companies are also failing to clamp down on the use of USB memory keys and many other removable storage devices – all of which have the potential to either unwittingly or maliciously undermine a company in the wrong hands.

According to recent research 87 per cent of companies have failed to prevent the unauthorised introduction of such devices onto the network – this is despite 51 per cent of respondents saying they are aware of the risks posed.

More than a third of respondents (36 per cent) said they don't feel portable media devices are a concern – which may be true for the majority of the time but according to Andy Burton, CEO of asset discovery and audit firm Centennial Software, who commissioned the research, it only takes the one instance of abuse to seriously threaten a business.

Burton told silicon.com that by and large "there is no business case for connecting an iPod at work". He said companies should therefore give serious consideration to whether any level of risk is worth assuming as the liberation of up to 60Gb of data from any organisation can pose a very real threat.

Burton said in instances where some departments or individuals do have a business case for using iPods – such as radiologists in one hospital in the US, as reported by silicon.com – these are specific permissions which should be switched on in isolation, not as a rule across the whole organisation.

Burton said the issue shouldn't be seen as a thorny one of handing down draconian measures to staff but simply as common sense and business best practise – especially in an age of compliance where directors have to offer guarantees relating to the nature of activity on their networks.

The threats relating to iPods and other MP3 players range from the introduction of copyrighted media onto the corporate network for which the company becomes liable, to the theft of business critical data, which is a threat in common with other removable devices.

Interestingly though, most respondents classified the greatest threat as the introduction of malicious code which could be accidental or an intended act of sabotage.

Many companies have been tolerating the use of removable media on their networks for some time now, largely because they didn't spot the threat early on and acceptance has become rife.

Speaking at the e-crime Congress in London, Neil Fisher, director of security strategy at QinetiQ, said: "Where new technologies are concerned businesses are very slow to pick up on the risks. The security issue is not really thought about early enough."