John Pescatore

I live in the Washington DC area and much Beltway buzz about the Washington Post article on Tiversa’s discovery of a House ethics report openly available on a peer to peer music stealing file sharing network. The first reaction, of course, was to blame a cyber-attack, likely launched by the Chinese or maybe the North Koreans. But, as usual, it appears it was most likely a staffer who stored the report on a home PC that had the music stealing file sharing P2P client installed.

The staffer will likely be fired – there is surely some policy document they signed forbidding this and detailing their responsibilities and the consequences. But the damage has been done, the information is out. Combine the “myth of the responsible user” with the complexities and low security levels of consumer grade software and configurations and you have lots of these incidents occurring daily.

Now, the knee-jerk reaction will likely be to try to legislate bans on P2P software but that is dealing with the symptom, not the problem. The problem is that normal users can never keep up with what needs to be done to keep business data secure on their home PCs or on consumer-grade web sites and services. Enterprises have to put security controls in place to monitor, contain and ultimately secure the use of all business information, whether in the data center, on a managed PC or on a home PC.

There are actually a number of ways to do so – in “Optimal Approaches for Secure Use of Consumer IT” Mark Nicolett and I detailed a strategy with some typical scenarios. None of the solutions are perfect, but there are many ways to match the business need for use of consumer technologies with an appropriate risk level – just ignoring the use leads to incidents like what hit Congress.