At Forrester Research Inc., analysts get to try out the latest cool technology for themselves: PDAs, Wi-Fi laptops, nifty storage devices. Their jobs also call for reviewing much more mundane technology, like network “sniffing” software and intrusion-detection devices.
Testing such tools has led to some interesting security problems at the Cambridge, Massachusetts-based technology-research firm. “We’ve pretty much experienced all the rogue technologies out there,” says Richard Belanger, Forrester’s chief technology officer. “We’ve found unauthorized Wi-Fi hot spots, had our computers infected by employees using their laptops from home without a firewall, and discovered copyrighted material on corporate laptops that had been downloaded using music file-sharing tools. But that’s what the analysts are there for; we’ve got hundreds of people trying every cutting-edge thing. Occasionally they get burned, and we [in IT] have to apply the cure.”
Most companies can’t cure such ills as easily as Forrester can, which is why corporate IT departments are trying to stop trouble caused by rogue technology before it starts. Observers believe there is plenty of trouble brewing. “In our estimation, 40 percent of organizations have wireless [networks] they don’t even know about,” says John Pescatore, vice president for Internet security at Gartner, a Stamford, Connecticut-based technology research firm. “And the vendors tell us [the figure is much higher].”
A clarification: in IT parlance, “rogue technology” doesn’t suggest anything about deceitfulness or a lack of principles. In many cases, the “rogues” are well-meaning employees who try to wring more productivity from fewer IT dollars but haven’t paid enough attention to security risks or costs. Perhaps without management’s knowledge, they bought a PDA with their own money and accessed the network, or they set up a Wi-Fi hot spot in a remote part of the firm. Or maybe they sent an instant message to a colleague via Yahoo or AOL, not realizing the chat would be vulnerable to interception since it occurred beyond the corporate firewall.
“These are honest, well-intentioned workers, but they’re also stupid, and they’re everywhere,” says Jack Gold, vice president of Meta Group, a Stamford, Connecticut-based technology research firm. “You tell them not to use this stuff in a corporate context or to at least inform IT before they do it,” laments Gold. “But you don’t want a police state.”
Chinks in the Armor
On the other hand, “anything goes” is no way to run a business. For one thing, rogue technology can actually lead to lost productivity. “If employees are setting up their own tech solutions, they’re not doing what they’re being paid to do,” says Forrester CFO Warren Hadley. “And when something goes wrong—say, a virus infecting their laptop—they go to the IT help desk, which absorbs IT’s resources.” Moreover, he says, “if someone sets up a rogue Wi-Fi access point, it can open up the entire corporate network to an outsider.”
Forrester executives speak from experience. “We saw a burst of rogue Wi-Fi activity nine months ago,” says CTO Belanger. For about $90 each, some Forrester employees bought their own wireless hubs and used them to help their workgroups access the network. Unfortunately, those hubs “basically allow[ed] any outsider with a Wi-Fi card in their PC to get into the corporate system,” remembers Belanger. Fortunately, he says, “we were using our network sniffing and intrusion-detection system and saw this weird traffic on the backbone network. We eventually tracked it down to an unauthorized hub right on our campus.”