To start, the computers provided in an Internet café should certainly have a desktop security suite installed. The suite should have, as a minimum, firewall, antivirus and antispyware programs. It's obviously in the interests of the Internet café to ensure its computers run safely and efficiently. However, I would still not sanction their use by members of staff for business-related work or correspondence. How do you know that the desktop security suite has the latest virus signatures? Or that the newest system and software patches are installed? The recent zero-day flaw in Internet Explorer would certainly put many Internet café browsers at risk. Although the Internet café may have a policy of blocking questionable websites, attacks can also spread from legitimate sites that have been unwittingly compromised. An unlimited number of strangers sharing an Internet café machine greatly increases the likelihood of it becoming infected.
The problem with any public access point is that it has to be treated as a hostile environment. The physical and logical security controls that are possible within your organization's buildings are not available in the outside world. It is therefore much harder to ensure that sensitive business information remains safe. Despite the presence of security programs, such as a desktop security suite, there is still the risk of shoulder surfers and security cameras observing keystrokes or the contents of your screen. You can use privacy screen guards, such as those made by 3M Corp., to prevent people sitting next to you from being able to read your screen, but I don't know how to disguise your password keystrokes!
A tool like Windows SteadyState will certainly help the café's system administrator to control what users can and can't do, such as access programs, configuration settings, removable storage devices and websites. SteadyState also makes it easy for administrators to wipe data from a computer's hard drive. It is difficult to know, however, that this erasure is always performed once a machine is vacated and reassigned to another user. You, therefore, have to assume that data and deleted files may persist on the machine's hard disk.
Finally, all organizations should have a formal policy covering the use of mobile and third-party devices in places such as Internet cafes. It should include the requirements for physical protection, access controls, encryption, backups and virus protection. It should also include rules and advice on connecting shared or mobile devices to corporate networks and guidance on their use in public places. You need to reduce the chances of an employee accidentally disclosing sensitive information such as sales figures, client data or passwords. For me, the risks are just too high when using a third-party shared computer.
This was first published in April 2009