Full Newsletter   Newsletter Archives

  Stambaugh Ness        SN Financial Strategies         SN Business Solutions   



Printable version 

By Kenneth Saxe, MCSE, MCSA, MCP, CNE
Senior Consultant

It's nothing to be ashamed of or embarrassed about. 

We know as a business owner or manager you have constant struggles relating to your IT infrastructure:

1.) The need to protect the company and its customers' data balanced with the need to protect the rights of employees

2.) The need to protect the company and its data and other assets from outside threats and inside threats, and

3.) The need to embrace, or at least support within reason, the role of lifestyle computing (Internet, PDAs, etc) upon employees at the same time keeping the corporate network clear of any personal computing liabilities.

The relationship between employees and IT has never been more critical, yet management must navigate the path of determining acceptable risk carefully to avoid the pitfalls. The "head in the sand" approach will not work here. Navigate you must! Remember that inaction, like ignorance, is not a defense to the issues you may face in the future.

How do you determine acceptable risk? Let's look at an example. 

One of the single biggest security impacts upon corporate IT is the infusion of "lifestyle computing" devices (e.g. smart phones, PDAs, mp3 players and USB storage devices also known as "thumb drives") in the workplace.

Whether the intent is good or bad, these devices bypass traditional security measures and provide a high volume, high speed and low cost portable file storage to interact with the network via a USB port. Uncontrolled, these devices can introduce inappropriate material to the corporate network or discretely copy your company's sensitive data and walk out the front door with the employee.

It is not difficult to comprehend the threat of uncontrolled removable media devices to a business, but in tackling the issue you equally need to understand the legitimate cases that may exist for this technology and, indeed, the prevalence of such devices already operating within your business.

You will need to determine the impact of it upon the organization from both an education and enforcement perspective. Therefore, you will need visibility of what devices are connecting to the network, by whom, for what purpose, and finally if there is a better way to achieve the task.

By understanding this information you lower the risk of accidentally blocking legitimate use, incurring unnecessary overheads in managing the fall-out of suddenly blocking previously unblocked devices, and you ensure the goodwill of employees in the roll out and acceptance of any new policies as it relates to these devices. 

Locking down USB ports entirely is not a viable solution as employees need access to them to connect a mouse, keyboard or printer. So in determining your company's acceptable risk you should also be prepared to tackle the obvious issue that if a removable media device is required to be used - it should, therefore, be supplied by, and owned by, the company and not an individual employee. This formal separation is an important test in determining the ownership and usage of the information contained on it as well as of the device itself.

So... what is your level of acceptable risk? ...One uncontrolled connection, ten uncontrolled connections, or more? What are the odds that any single instance that is uncontrolled (and therefore unmitigated) could be the loss of your customer lists, product designs or employee records? What would the consequences of that breach be to your business? Only your business can decide that - but once decided, you need an enforceable policy to mitigate the risk which we will be discussing next time. 

Stay tuned ...

You may contact Ken Saxe for a free consultation by calling 717-757-6999 or 800-745-8233 or by sending him an email by using the form below.


 Save article  Email Firm  Email to a Friend
Is this item worthy of implementation? Yes No Maybe
Is this item worth sharing with other associates? Yes No Maybe
Did this item present value to you and your business? Yes No Maybe
Comments:

Our firm provides the information in this e-newsletter for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this e-newsletter are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided "as is," with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose.

IRS Circular 230 Notice: To ensure compliance with requirements imposed by the IRS, we inform you that any US tax advice contained in this communication is not intended or written to be used, and cannot be used, for the purpose of avoiding penalties under the Internal Revenue Code.

Securities and advisory services offered through Geneos Wealth Management, Inc. Member FINRA/SIPC. Geneos Wealth Management, Inc is not affiliated with Stambaugh Ness.