About Us | Contact Us
View Cart

To Skype or Not to Skype: that shouldn’t be the question!

By Dan Hadaway | Friday, January 14, 2011 - One Comment

Instead, as always, the question should be:

Is Risk Mitigation < ROI?

Put another way:  “what risk is there in using Skype, and does the cost of mitigation outweigh the projected ROI of the technology.”   Put mathematically, ROI = Benefits minus Cost.  But what we need to do is factor risk mitigation into the cost.

In other words, are all the policies, procedures, configuration changes, enforcement controls, and misunderstandings-over-all-of-the-above going to add up to less than the savings we get by using Skype instead of some other video conferencing solution?

Is Risk Mitigation < ROI?

Skype is like Facebook.  We security professionals start out frowning on its use.  But this time, darn it, I want to get out ahead of it.  So look for me to dive further into the controls that we can put into place in order to mitigate the risk of using Skype.

First, let’s just review the benefits.  And before we review the benefits, let’s talk a bit about need.  That’s the real question:  do you need the benefits?  See, with Skype, we can all video conference without spending a lot of money.   The Jetsons have landed.

And we already have the prerequisites.  Most of what we need for Skype is already available to us on our laptops, including the little circle at the top of the display that we call “the webcam.”  Heck, those of us with Smart Phones don’t even need a laptop to Skype.  Instead of placing a cell call to a client, for example, I could Skype with that client.  That way the client can see me, and I the client.  I guess the benefit in that is my good looks, and the body language of the client when I tell the client how much the next phase of the gizmo project is going to cost.

Remember, the quality of Skype is a bit shaky, especially if you’re running it on a slower broadband connection.  In my brief experience with it (see below), I was running it on a T-1 at my house.   And the other end wasn’t too shabby a connection either.  But the picture was still “a bit choppy.”  So I’m proposing that a given parameter in your pending “Skype Program” is that you will only use it for internal communications, and not for communicating with your customers.

I know, I have a bad attitude about the benefits of seeing people.  That could be due to the fact that my company has successfully implemented a true virtual office for seven years now, and not once did we use the webcams we all thought about buying in 2003.  Even now, when we all have the webcams built into our laptops and cellphones, I simply don’t need to see the look on somebody’s face when I tell them that good or bad piece of news.

So what are those risks?  Well, off the top of my head, I see the Skype risk-profile as a blend of e-mail and chat rooms.  In other words, all the vulnerabilities inherent with e-mail (malware, spoofing, links-out-to-bad-places, etc.) coupled with the security vulnerabilities of chat (the ports you have to leave open on your firewall, man-in-the-middle-attacks, illegitimate uses, etc.) apply.   When my daughter visited Japan for a summer two years ago, we found Skype to be a miracle.  Since she had the world-renown Japanese broadband connection, and we had a T-1, and we didn’t want to purchase a cell phone we couldn’t read, Skype was a no-brainer.  As I wrote above, the quality was a bit choppy, but it was great to see our daughter every day!

And there was a true need!  Was she okay?  Was she healthy?  Was she hung over???  These are questions that only a visual check would completely answer.  So though the video was choppy, the pictures were indeed worth a thousand words.  (Especially when she was half-awake!)

We set it up on my wife’s home computer (because we didn’t want to introduce risk into my laptop).  And sure enough, soon after installation my wife (Stacey) was being “hit on” by Skypers all over the world.  Skype-spammers, skype-lurkers, and skype-seximos came out of the woodwork.

However, take heart!  Stacey simply ignored all requests, except our daughter’s.  And every night at six o’clock we got to see what our daughter looked like at 7:00am in Japan.  It was cool!

So how do you mitigate those Skype risks?  Probably the same way you mitigate risks inherent in e-mail and chat.  I say probably because I haven’t had time to put too much thought into this, and I want to get this article out today, so that you all know I’m working on it.

But think about e-mail.  How do we mitigate risks associated with e-mail?  We have spam filters, anti-virus systems that scan incoming e-mails, content filters on outgoing e-mails (so people won’t send sensitive information outside the domain).  We have policies about the use of e-mail, and our awareness training spends a lot of time on e-mail vulnerabilities and those policies (and just ignore the spam and don’t believe the scams).  We tell people to “just delete it” on spam.  We spend money executing phishing tests to make sure our employees get it on the warnings about spoofing.  And we accept that there is a certain amount of risk we simply can’t mitigate.  And we clean viruses off of workstations.  And we deal with upset employees because their email didn’t go through to that Hotmail account.

How do we mitigate risk with chat rooms?  Well, most of us prohibit them.  But if we do allow them for certain purposes, we make sure that the clients are configured to send chat messages encrypted.  Then we develop policies, spend time training, and ultimately we accept that there is a certain amount of risk we simply are not going to be able to mitigate.

But with Skype, there are some other considerations.   For one, Skype software generates continuous background traffic once users have signed in to the application.  This traffic is easily confused with malicious patterns and thus interferes with some Intrusion Detection Systems, generating that many more “false positives” that may need to be investigated.  Meanwhile, whenever a security investigation is necessary, the investigator will need to wade through the Skype noise.

So you do the math.  Do you want to add all that risk-mitigation overhead to use Skype?  Is the advantage of being able to see the person you’re talking to worth all the new policies, procedures, configurations, and headaches?  Body language is a good part of our communication.  So though I have knocked it, that’s just me.  And again, when I used it we really DID need to see.  So the real question is, do you want to see your co-workers on a snowy day?

And . . . . if your answer is yes, please contact me.  I want to talk to you about a policy development engagement!

————————-

Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

————————-

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

One Response to “To Skype or Not to Skype: that shouldn’t be the question!”

Comment from Fannie
Time 02/04/2013 at 11:23 pm

It’s actually a nice and helpful piece of information. I am happy that you just shared this helpful info with us. Please keep us informed like this. Thank you for sharing.

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]