A new survey by security firm Sophos has revealed that over half of all businesses quizzed do not know how many employees are running virtualisation software on their computers.
The announcement comes as the company extended the application control feature of its Sophos Endpoint Security and Control to give users the option to block virtualisation applications. This can include free desktop and data centre products from VMware, as well as tools from DosBox and Microsoft’s Virtual PC 2007.
An increasing number of companies are turning to virtualisation as a cost-cutting measure during this time of economic uncertainty and running unauthorised software means that it is users, rather than the IT department, that are bringing virtualisation to the desktop. This runs the risk of creating vast areas of a corporate network that IT departments are not aware of and have no control over.
Richard Jacobs, chief technology officer at Sophos, said that he believed it was users’ desire to improve productivity rather than any malicious reasons that lead to them downloading and running virtualisation software.
“Virtualisation tools represent a black hole in many organisations’ IT security – if staff are allowed to download these tools and create environments that are completely hidden from IT administrators, it’s impossible to defend them against cyber attacks. While employees may simply be trying to get round a ban on social networking or using instant messaging at work, doing so in this way poses a real threat. In fact, uncontrolled and unmanaged virtual computers could lead to potentially disastrous consequences, including corporate identity theft, financial losses and embarrassing headlines,” Jacobs said.
Sophos says that as employees become more IT savvy it is essential that organisations have total visibility of their network. If there are unauthorised applications being run on a network, for example a virtual browser, organisations are at risk from cyber attacks.
Speaking at a roundtable event to mark the publication of this report, Jacobs suggested that one of the best forms of defence against virtualised desktops, as well as the issue of accessing inappropriate websites, could involve engaging the users.
He said: “You should always involve the user – most are well intended. A popup message that just says ‘do you really want to do this?’ is useless, because after a while the user will just ignore it. Having a popup that says ‘why do you want to do this?’ is much more effective and works just as well as having an IT policy in place to control what site users can access.”
The survey was carried out online on October 8 and quizzed 130 people.