Instead, as always, the question should be:

Is Risk Mitigation < ROI?

Put another way:  “what risk is there in using Skype, and does the cost of mitigation outweigh the projected ROI of the technology.”   Put mathematically, ROI = Benefits minus Cost.  But what we need to do is factor risk mitigation into the cost.

In other words, are all the policies, procedures, configuration changes, enforcement controls, and misunderstandings-over-all-of-the-above going to add up to less than the savings we get by using Skype instead of some other video conferencing solution?

Is Risk Mitigation < ROI?

Skype is like Facebook.  We security professionals start out frowning on its use.  But this time, darn it, I want to get out ahead of it.  So look for me to dive further into the controls that we can put into place in order to mitigate the risk of using Skype.

First, let’s just review the benefits.  And before we review the benefits, let’s talk a bit about need.  That’s the real question:  do you need the benefits?  See, with Skype, we can all video conference without spending a lot of money.   The Jetsons have landed.

And we already have the prerequisites.  Most of what we need for Skype is already available to us on our laptops, including the little circle at the top of the display that we call “the webcam.”  Heck, those of us with Smart Phones don’t even need a laptop to Skype.  Instead of placing a cell call to a client, for example, I could Skype with that client.  That way the client can see me, and I the client.  I guess the benefit in that is my good looks, and the body language of the client when I tell the client how much the next phase of the gizmo project is going to cost.

Remember, the quality of Skype is a bit shaky, especially if you’re running it on a slower broadband connection.  In my brief experience with it (see below), I was running it on a T-1 at my house.   And the other end wasn’t too shabby a connection either.  But the picture was still “a bit choppy.”  So I’m proposing that a given parameter in your pending “Skype Program” is that you will only use it for internal communications, and not for communicating with your customers.

I know, I have a bad attitude about the benefits of seeing people.  That could be due to the fact that my company has successfully implemented a true virtual office for seven years now, and not once did we use the webcams we all thought about buying in 2003.  Even now, when we all have the webcams built into our laptops and cellphones, I simply don’t need to see the look on somebody’s face when I tell them that good or bad piece of news.

So what are those risks?  Well, off the top of my head, I see the Skype risk-profile as a blend of e-mail and chat rooms.  In other words, all the vulnerabilities inherent with e-mail (malware, spoofing, links-out-to-bad-places, etc.) coupled with the security vulnerabilities of chat (the ports you have to leave open on your firewall, man-in-the-middle-attacks, illegitimate uses, etc.) apply.   When my daughter visited Japan for a summer two years ago, we found Skype to be a miracle.  Since she had the world-renown Japanese broadband connection, and we had a T-1, and we didn’t want to purchase a cell phone we couldn’t read, Skype was a no-brainer.  As I wrote above, the quality was a bit choppy, but it was great to see our daughter every day!

And there was a true need!  Was she okay?  Was she healthy?  Was she hung over???  These are questions that only a visual check would completely answer.  So though the video was choppy, the pictures were indeed worth a thousand words.  (Especially when she was half-awake!)

We set it up on my wife’s home computer (because we didn’t want to introduce risk into my laptop).  And sure enough, soon after installation my wife (Stacey) was being “hit on” by Skypers all over the world.  Skype-spammers, skype-lurkers, and skype-seximos came out of the woodwork.

However, take heart!  Stacey simply ignored all requests, except our daughter’s.  And every night at six o’clock we got to see what our daughter looked like at 7:00am in Japan.  It was cool!

So how do you mitigate those Skype risks?  Probably the same way you mitigate risks inherent in e-mail and chat.  I say probably because I haven’t had time to put too much thought into this, and I want to get this article out today, so that you all know I’m working on it.

But think about e-mail.  How do we mitigate risks associated with e-mail?  We have spam filters, anti-virus systems that scan incoming e-mails, content filters on outgoing e-mails (so people won’t send sensitive information outside the domain).  We have policies about the use of e-mail, and our awareness training spends a lot of time on e-mail vulnerabilities and those policies (and just ignore the spam and don’t believe the scams).  We tell people to “just delete it” on spam.  We spend money executing phishing tests to make sure our employees get it on the warnings about spoofing.  And we accept that there is a certain amount of risk we simply can’t mitigate.  And we clean viruses off of workstations.  And we deal with upset employees because their email didn’t go through to that Hotmail account.

How do we mitigate risk with chat rooms?  Well, most of us prohibit them.  But if we do allow them for certain purposes, we make sure that the clients are configured to send chat messages encrypted.  Then we develop policies, spend time training, and ultimately we accept that there is a certain amount of risk we simply are not going to be able to mitigate.

But with Skype, there are some other considerations.   For one, Skype software generates continuous background traffic once users have signed in to the application.  This traffic is easily confused with malicious patterns and thus interferes with some Intrusion Detection Systems, generating that many more “false positives” that may need to be investigated.  Meanwhile, whenever a security investigation is necessary, the investigator will need to wade through the Skype noise.

So you do the math.  Do you want to add all that risk-mitigation overhead to use Skype?  Is the advantage of being able to see the person you’re talking to worth all the new policies, procedures, configurations, and headaches?  Body language is a good part of our communication.  So though I have knocked it, that’s just me.  And again, when I used it we really DID need to see.  So the real question is, do you want to see your co-workers on a snowy day?

And . . . . if your answer is yes, please contact me.  I want to talk to you about a policy development engagement!

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”