Unattended PCs Security Risk Underestimated

Sep 30, 2005 (11:09 AM EDT)

Read the Original Article at

Lonesome PCs pose a security risk that enterprises underestimate, a research firm said this week. Making matters worse, corporations just don't pay attention to the major security hazard of unattended workstations, according to Gartner research vice president Jay Heiser.

"Organizations are protecting their systems and personnel against external security threats but failing to realize the very real risks that exist internally from something as basic as an unattended PC," said the U.K.-based Heiser in a statement. "Relatively simple solutions are available to address the problem but few organizations have implemented them."

From Gartner's perspective, a "significant number of unauthorized access events" happen in the workplace when someone sits in front of another's PC. The possible ramifications range from accessing sensitive data to sending e-mail or IM disguised as another employee. And the lack of protection makes it difficult to discipline workers for improper online activity when the excuse of 'someone else must have sat at my PC' can't be disproved.

"Unattended PCs represent the computer security equivalent of 'low-hanging fruit'," said Heiser.

The solution, said Heiser, would be to require workers to log out each time they leave their desk -- the 'timeout' could also be done automatically -- and log back in when they return. Then, the log-in password stands between seat-warmers and access to data and services they've no right to.

Trouble is, users hate logging off and on, and complain loudly to IT when such requirements are made. That could be mitigated, Heiser said, by making workers understand that they'll be held accountable for any computer mischief originating from their workstations or usernames.

"There's little point in implementing some sort of sophisticated identity and access management system unless you can ensure that when people are logged in to systems, they stay at their PCs," said Heiser. "Sloppy management of login sessions sends the wrong message, but tight management, including a degree of user inconvenience, sends the message 'user login sessions are important and must be protected'."

Heiser recommended that enterprises look at both technology and policy solutions, including "proximity" tokens, small devices worn around the neck that are also used for hands-off security door access. Used for PC security, proximity tokens automatically log off a user when he or she steps a defined distance from the computer.

"Tokens are appropriate wherever shared PCs are used to access critical applications, such as in hospitals and clinics," said Heiser. "Proximity tokens are convenient and particularly effective in preventing the 'someone else used my PC' defense common in call centers and on factory floors."

Although timeouts won't work in all situations -- fast reaction scenarios like stock trading would be among them -- Heiser believed that in most office situations, the practice would be "a simple and effective solution" to the security problem of unattended PCs.