by Sunil Shah

Periscope is an Enterprise Security Risk

Apr 09, 20154 mins

Periscope, a live video streaming app that Twitter bought, has the potential to create a huge security hole for organizations. Can it be plugged? 

Periscope, a live video streaming app that Twitter bought last month, has been making waves across the world—except in enterprise security departments. And that makes it a ticking time bomb. What is Periscope? It’s an app your staffers can download and use to live stream any event in your office. Think your next board meeting, your CEO dressing down someone, the HR team deciding who’s going in the next round of layoff, you get the idea. But so what? Security risks stemming from mobile video have been around since phones got cameras. The difference with Periscope is that video is being live-streamed, eating into an enterprises ability to do damage control. “The risk has always been there with mobile phones,” says Parag Deodhar, Chief Risk Officer and CISO, Bharti AXA General Insurance. “But it’s amplified now. Now it’s live.” Should Periscope go to the top of your list of security challenges, just now? Depends on who you ask. No one’s been hit by a Periscope-style sting operation–yet. But, just like when social media first came about, it’s only a matter of time. Right now Periscope is only available on the App Store, though it’s threatening to be released on the Play Store. “It’s a serious problem,” says Ashish Mishra, the CISO at a large retailer. Not everyone agrees with that assessment. “In my personal opinion, this is another case of an innovation that could turn into a risk. But I don’t rate this has a high challenge,” says Nandkumar Saravade, an independent security advisor. “Spy cameras and other video recording equipment has been around for some time.” Meanwhile, Periscope has been getting a lot of interest. On the App Store, Periscope is in the top 30 downloads in the US, and the top 50 in the UK. In India, it’s not in the top 145 most popular App Store downloads, which is probably why it hasn’t yet made waves in CISO circles in India.  “It’s not being discussed. Not yet. Periscope is very new and it’s still not reached Indian shores,” says Deodhar. “If and when this reaches broad adoption, the job of the CIO will get harder. Anything happening inside the “walls” of your enterprise (virtual and physical) can be live streamed. Risk just skyrocketed,” says Brian Vellmure, a management consultant. So what can CIOs or CSOs do? It’s tricky and right now there are no clear answers. If the app’s on a company phone, an MDM solution could be used to create a geo-fence and ensure that cameras are shut off within a fence. The challenge with that is that 60 percent of Indian organizations don’t use an MDM, according to CIO India research. And, in any case, a lot of people have two phones, or use personal phones at work, on which enterprises can’t really apply security policies. “MDM is fine but with personal phones, it becomes an issue,” says Saravade. Another approach could be to control live-streaming apps like Periscope from the network. But how do you control a personal phone using 3G? Cellular jamming is another option, but that would affect productivity. You could, of course, call for a ban on personal phones, “but that’s probably the last decision you’ll make in that organization,” says Mishra laughing. Saravade says that tackling such a challenge requires maturity and education. “Security assurance depends on a framework which includes people, processes, and technology.” It’s important, he says, to ensure a company’s privacy policy expands to take live streaming apps like Periscope into account. The next step is to educate users about the policy and enforce it.   He also believes that the law, which he says is maturing fast in India, needs to catch up with innovations like Periscope. Currently the IT Act covers voyeurism, but not the broadcasting of confidential company data.   Someone’s going to blow the whistle on the whistling app; the question is: Will it be before or after an embarrassing incident?