One approach to tightening security around Web mail is to use a tool that monitors email content using keyword filters and other detection techniques and that either generates alerts regarding potential breaches or simply blocks the email from being sent.

3. Portable storage devices One of an IT manager's biggest fears, according to Holbrook, is the steady proliferation in types of portable storage, ranging from Apple iPhones and iPods to flash memory devices. "People can use these to download any number of corporate secrets or sensitive information and move it off-site, which is not where IT wants that information to be," he said.

"In the past three weeks alone, I've heard six different conversations about the risks of fl ash drives and portable storage devices," an information security architect and author of Network Security: The Complete Reference, Mark Rhodes-Ousley, said.

While it would be easy enough to lock down the USB ports on employee PCs, many security managers say this is not a recommended approach. "Where do you draw the line? If you restrict USB ports and [mobile] phones coming into the office that may have data storage ports, then you have to look at restricting infrared ports on devices and CD burners, and the list goes on and on," Miller said.

It's better, he said, to handle the matter by teaching people how to treat the storage of sensitive information. "Most of the incidents that occur are unintentional [rather than] malicious, so that's where education comes in, as to proper handling and why it's important," Miller said.

WebEx director of IT infrastructure, Michael Machado, said he wasn't a fan of blocking USB ports at WebEx, mainly because such a strategy would quickly devolve into users asking for exceptions to the rule and IT having to manage those exceptions.

What would be optimal, he said, was to have a tool that sends a message to people trying to copy files to USB drives or other unencrypted storage media, advising that they're going against corporate policy. "Then they know they're empowered to make the decision but that it's going to be tracked and monitored," he said.

On the other hand, DeKalb's Finney said she was interested in blocking technologies and was looking to either block certain types of data from being transferred to an external storage device or alert her when someone tries to plug anything into a PC that's not native to that computer.

Meanwhile, colleges and universities where lecturers and students have lost flash drives with sensitive data are looking into standardising on password- and encryption-protected USB drives to protect them in the future.

4. PDAs and smartphones More and more employees are showing up at work with some form of smartphone or personal digital assistant, be it a BlackBerry, Treo or iPhone. But when they try to synch up their device's calendar or email application with their own PC, it can cause problems ranging from application glitches to the blue screen of death.

Moreover, should the employee quit or be fired, he can walk out the door with any information he wants, as long as the PDA or smartphone belongs to him.

Like some other companies, WebEx minimises those possibilities by standardizing on a single brand and model of PDA and letting employees know the IT organisation will only support that one device. WebEx does the same thing with laptops which, Machado noted, represent an even greater threat than PDAs because they can hold even more data. Any unapproved devices are not allowed on the WebEx network.

5. Camera phones A hospital worker stands at a nursing station, casually chatting with the nurses. Nobody notices she has got a small device in her hand, on which, from time to time, she's pressing a small button. A scene from the latest spy thriller? No, a security test conducted by DeKalb's Finney. "One of the tests I did was to go to take my mobile phone to the nursing station and start clicking off photos, unbeknownst to them," she said.

As it turns out, she didn't obtain any personally identifiable information, but she did glean the computer name - not the IP address - from the top of the photographed computer screen. "That kind of information can add up to clues that can be compiled or combined with information somebody could get from other sources in the facility to build a plan of attack," she said. As a follow-up, Finney added information regarding this potential security breach to DeKalb's employee orientation and security awareness programs, so people were at least aware of how risky it is to expose sensitive data for others to see - and possibly photograph.

6. Skype and other consumer VoIP services Another fast-growing consumer technology is Skype, a downloadable software-based service that allows users to make cheap Internet phone calls. In fact, 20 per cent of the respondents to the Yankee Group study said they use Skype for business purposes. In a business setting, the threat presented by Skype and similar services is the same as that of any consumer software downloaded to a corporate PC, Holbrook said.

"Enterprise applications are highly scalable and highly secure, while consumer applications are less scalable and less secure," he said. "So any time you download Skype or anything else, you're introducing a security risk with which IT is uncomfortable."

For instance, the software can interact with every other application on the PC or network, potentially affecting the performance of every application. Skype itself has issued at least four bulletins announcing security holes that users can patch when they download the latest version of the software.

But because IT often has no idea how many users have installed Skype, let alone who has done it, there's no way for them to police these efforts.

The most secure option, and one that Gartner recommends, is to block Skype traffi c altogether. If a business chooses not to do that, it should actively engage in version control of Skype clients using confi guration management tools and ensure that is distributed only to authorized users, Gartner said.

7. Downloadable widgets According to Yankee Group, consumers are using devices to download widgets that give them quick access to Web applications. These widgets can be easily moved to PCs, which, according to Holbrook, represent another entry point into the technology ecosystem that IT struggles to control.

The risk here is that these tiny programs use processing power on the PC and the network. And beyond that, any software that gets downloaded without being vetted represents a potential threat.

WebEx mitigates this risk using a threefold approach. It educates users on the risks of software downloads, it uses Reconnex to monitor what's installed on user PCs, and it disables some of the users' default access rights, restricting their download capabilities.

8. Virtual worlds Business users are beginning to experiment with virtual worlds such as Second Life, and as they do, IT needs to become more aware of the accompanying security concerns. It would be short-sighted, Holbrook said, to block the use of these virtual worlds.

"It's an application that people are just now figuring out how it can be useful in a business setting," he said.

At the same time, using Second Life involves downloading a large amount of executable code and putting it inside the corporate firewall, Gartner pointed out in a recent report. In addition, there's really no way to know the actual identities of the avatars who populate the virtual world.

One option that Gartner suggested is enabling employees to access their virtual worlds over the company's public wireless network or encourage them to do it from home.

A third option is for companies to evaluate tools to create their own virtual environments that would be hosted internally within the enterprise firewall.