First a proof-of-concept virus for the iPod is created (of note to the 10 of you who install Linux on your iPod). Then a company called NextSentry (which sells security products related to removable storage devices) calls for a workplace ban. Now Network World’s Cara Garretson says “it would seem that iPods pose a particularly high risk to corporations that let employees wander into work with these devices strung to their ears.”
Network World informs its readers that “Those same devices that entertain workers during their commute can be used to copy personal or financial data, intellectual property and other sensitive information from corporate PCs, often without a trace.”
Wow, way to be on top of this aspect of the iPod. Let’s see, when did it gain the functionality to act as an portable hard drive? Oh, right, when it was first released in November 2001. And when did it gain PC compatibility? As recently as July 2002.
“If you see someone walking in the door with an iPod they don’t look like a threat, but to me I see the ability to download reams of files, and it might just look like they’re downloading music,” said Jim Hereford, CEO of NextSentry, which issued the suggested iPod ban.
But Hereford clarified the suggested ban by noting that “We’re not saying companies shouldn’t allow iPods, but they better have endpoint security on their desktops.”
Endpoint security technology blocks information that’s been deemed sensitive from being copied onto removable media, e-mailed or printed. And who sells such technology? Why, it’s available from NextSentry!
So when they said companies should ban iPods from the workplace, they were really just saying ‘Buy our products’ (or else your company will perish).
Thankfully there’s some sanity brought to the discussion.
“Devices such as iPods and other MP3 players are basically storage devices; some can store substantial amounts of data and are innocuous enough that their presence is almost unnoticed in our daily lives,” says Tom Scocca, investigator and global security consultant for a large provider of microprocessor manufacturing technology. “Controls targeted at these devices should be based not on the type of device, but on the risk that companies are willing to accept by allowing any type of external storage device into the environment.”
So “Can an iPod bring down your company?” Certainly a malicious employee with an iPod can do so. Of course, so could a malicious employee with a CD burner, hammer or box of matches.
“We have to rely on our trusted employees,” agrees David Jordan, CISO at Virginia’s Arlington County.
However, Jordan adds that if an employee comes in with malicious intent, “there’s not much we’re able to do about that except prosecute, and we have had people go to jail for breaking the rules.”