To gauge the seriousness of the situation, we launched an investigation to see what kind of corporate data could be found on the popular Gnutella network. We discovered spreadsheets, billing data, health records, and more. (See our full report, "Our P2P Investigation Turns Up Business Data Galore".)
Used as intended, file-sharing programs and P2P networks can be a cheap, easy way for people to share content, and they're a popular channel for distributing open source software. Despite their association with illegal music sharing, not all P2P networks are equally dangerous when it comes to business data. The BitTorrent client and protocol, which employ centralized servers, are less prone to inadvertent file sharing than decentralized networks like Gnutella.
It's the improper or careless use of P2P that should worry IT departments. What can go wrong? Users sometimes mistakenly file a spreadsheet in the same folder they store music files or check the wrong box when configuring the P2P client and, voilà!, their corporate documents are out there for everyone to see.
(click image for larger view)HOW TO FIGHT BACK
The first line of defense for IT departments is to set parameters for the use of file-sharing apps on company PCs--some ban them entirely--and use tools to monitor and manage those policies. Effectiveness, however, is only as good as IT enforcement and employee compliance. Look no further than Pfizer to see what happens when someone breaks the rules. Harder still: getting customers and business partners to exercise the same degree of caution that you mandate internally.
"You know not everyone is going to do the right thing. It's the law of averages," says Craig Shumard, chief information security officer with Cigna. After discovering six months ago that a few user IDs and passwords to one of its portals had been inadvertently leaked onto a P2P network by a partner, the health care insurer scrambled to reset them.