When I wrote about the danger of USB memory sticks a couple of days ago, I was thinking of them in terms of the security breach that allowed hundreds of thousands of U.S. State Department messages to end up at WikiLeaks. But then I plugged my BlackBerry into a USB cable so that I could synchronize with the BlackBerry Desktop Manager, and I realized that I really hadn't covered the problem. You see, along with the BlackBerry Desktop Manager, a Windows dialog box opened asking if I wanted to use the memory card in the phone for storage.
And therein lies the problem. As big a risk as USB memory sticks are, there are other risks that may be bigger. One of those risks is smartphones, because they can be both a means of extracting data from your enterprise, and the pathway needed to send it where it shouldn't be. Worse, it's difficult to issue smartphones to your employees, but not allow them to synchronize their appointments, calendars and the like.
As a result, you can't just ban the connection between an employee's computer and their smartphone. Instead you have to manage the situation so that employees can synchronize what needs synchronization, but not load data that shouldn't leave the company. This is a more complex problem when you realize that solving it is different for each type of smartphone, tablet or other device that users may want to use in your enterprise.
There are some solutions. BlackBerry devices can be configured so that they don't provide access to the memory card as a mass storage device, as can iPhones, iPods and iPads. Android devices are more complex because the means for controlling what you can do depends greatly on the version of Android and what the carrier who sold the device decides to implement. On the other hand, most Android devices sync to Google, so attaching them to a computer isn't strictly necessary.
The problem is that you don't know right now what devices will turn up during and after the course of the holiday season. This means that you need to update your security policies from last year when you had the same problem to reflect the new types of gadgets that are available. You will also need to learn enough about each of the devices that you will know what you can and cannot do in regards to making them fit into your enterprise securely.
The best place to start is with the devices you currently support. If you already know how to make them secure parts of your network, then adding a few more, as long as you make sure you configure them appropriately, should be no problem. But the new devices you don't currently support are a different problem.
Depending on your industry and your specific security needs, you might be better off requiring employees with new devices to submit a request so that you can examine the device and determine if it can safely be made part of your network. If it cannot, you might need to take the unpopular position of refusing to allow these devices on your network until you can do it securely.
Unfortunately, with the demonstration of the risks so close at hand, it's hard to dismiss the risk of random devices being attached to your network. But those same events, such as the State Department records leak or the possible release next month of banking records, give you a reason to say no. Just think how bad you will feel if your company is the next one to show up on the Internet for all of your customers and competitors to see.