At Forrester Research, analysts get to try out the latest “cool” technology for themselves: PDAs, Wi-Fi laptops, nifty storage devices. They also have the opportunity to try out some technology that many people would consider much more mundane: network “sniffing” software and intrusion-detection devices.
This state of affairs has led to some interesting security revelations at the Cambridge, Massachusetts-based technology research company. “We’ve pretty much experienced all the rogue technologies out there,” says Richard Belanger, Forrester’s chief technology officer. “We’ve found unauthorized Wi-Fi hotspots, had our computers in the office infected by employees using their laptops from home without a firewall, and discovered copyrighted material on corporate laptops that had been downloaded using music file-sharing tools like KaZaA. But that’s what the analysts are there for; we’ve got hundreds of people trying every cutting-edge thing out there. Occasionally they get burned, and we [in IT] have to apply the cure.”
Most companies can’t cure what ails them as expeditiously as Forrester can — which is all the more reason that their IT departments are trying to stop trouble before it starts. And given the risk of an intrusion into corporate, competitive, and customer data, that seems wise. “In our estimation, 40 percent of organizations have wireless [networks] they don’t even know about,” says John Pescatore, vice president for Internet security at Gartner Inc., a Stamford, Connecticut-based technology research firm. “And the vendors tell us that number is low. We’re finding instances where babysitters are pulling corporate data from rogue access points and posting it on chat rooms.”
Before we go further, a clarificaion: In IT parlance, “rogue technology” doesn’t suggest anything about deceitfulness or a lack of priciples. In many cases the “rogues” are well-meaning employees who try to wring more productivity from fewer IT dollars but — because they’ve wandered from the path of the tried-and-true — haven’t paid sufficient attention to the security risks or additional costs. Perhaps without management’s knowledge, they bought a PDA with their own money and used it to access the network, or they set up a Wi-Fi “hotspot” in a remote part of the corporate campus. Maybe they stored corporate data on a USB fob they got for free at a convention, or they used their cameraphone to take a few snapshots at work. Perhaps they used Yahoo or AOL to send an instant message to a colleague, a chat they didn’t realize would be vulnerable to interception since it occurred beyond the corporate firewall.
“These are honest, well-intentioned workers, but they’re also stupid, and they’re everywhere,” says Jack Gold, vice president of Meta Group, a Stamford, Connecticut-based technology research firm.”You tell them not to use this stuff in a corporate context or to at least inform IT before they do it,” laments Gold. “But you don’t want a police state.”
Where’s the Harm?
On the other hand, heaven knows, “anything goes” is no way to run a business.
You have plenty of reasons to care about rogue technology. “One reason is lost productivity,” replies Forrester chief financial officer Warren Hadley. “If employees are setting up their own technology solutions, they’re not doing what they’re being paid to do. And when something goes wrong — a virus infecting their laptop — they go to the IT help desk for help, which absorbs IT’s resources.”