Study Shows File-Sharing Is Endemic In Business ComputersStudy Shows File-Sharing Is Endemic In Business Computers

Peer-to-peer file-sharing software for trading music, movies, and even software has more than a toehold in corporate networks, Canadian asset monitoring company AssetMetrix said in a global survey of 560 companies that it released Wednesday.

The survey, conducted by the company's AssetMetrix Research Labs arm, poked through computers at companies of all sizes in the United States, Canada, the United Kingdom, Europe, Africa, and the Pacific Rim. The results discouraged IT administrators.

File-sharing applications such as Kazaa, Morpheus, and Imesh were spotted on machines at three out of every four businesses, said Steve O'Halloran, the director of the lab and one of the founders of AssetMetrix. And no company with more than 500 employees escaped the file-sharing syndrome: All of the surveyed companies that size had at least one computer with the software on the hard drive.

Even when the numbers were broken out differently, the picture wasn't pretty. On average, said O'Halloran, 9.23% of the more than 175,000 PCs his firm examined contained at least one file-sharing program.

"Smaller companies tended to be the most volatile in regards the percentage of their PCs with file-sharing software," said O'Halloran. The highest number he found in his survey was a small firm where 58% of its systems were running file-sharing software. "And we saw a lot floating in the 20% to 30% range. But small businesses also had a more significant number of zeros," he said.

It all depends on whether a company has instituted management practices and policies that forbid file-sharing, and then enforces them, he said. "When management practices are in place, small businesses have more effective control, if only because they can more easily physically control the limited number of computers. But if policies aren't in place, file-sharing takes off like wildfire."

Larger companies, those with 1,000 or more workers, fared better, on average, due to the simple fact that most bigger businesses do have policies in place. No company that large sported a file-sharing "penetration rate" greater than 10%, according to O'Halloran's report.

But while recent aggressive moves by copyright holders such as the Recording Industry Association of America have made the most news on the file-sharing front, litigation isn't the only risk that companies take by allowing peer-to-peer applications on their network. "There's only a low possibility of being nabbed at the moment" by a litigious copyright holder, O'Halloran said. "It's the security risk and the infrastructure costs that accompany file-sharing that you should be worried about."

In the report that laid out the results of its survey, AssetMetrix Research Labs identified 71 viruses that can exploit peer-to-peer applications. Not surprisingly, the vast majority--69--target the most popular P2P program, Kazaa. In addition, said O'Halloran, most file-sharing apps, and all of them in the top 10, install so-called "malware," software that tracks Web browsing patterns and delivers pop-up ads to browsers. These, too, pose security and/or privacy risks.

But it's the infrastructure costs of file-sharing that really stood out, O'Halloran.

His lab set up a file-sharing server stocked with hundreds of corrupted MP3 files, then let all comers download the files. The idea: Track the bandwidth consumed by an average file-sharing PC. The results should put a fire under any IT executive tired of paying for bandwidth.

When the spoof server declared itself able to connect at T3 speeds, bandwidth common in big companies, it tracked files being transmitted that accounted for about 10 Mbytes at any given moment. (Spoofing at slower speeds resulted in less bandwidth consumed; those who use file-sharing software naturally gravitate towards the fattest pipe they can find.)

"You're essentially acting as an outsourcer for your workers' downloads," O'Halloran said.

Although there are a variety of ways to prevent file-sharing from chewing up corporate resources, O'Halloran's survey found a surprisingly lax attitude among companies.

"If you have the firewalls in place and modify the ports, and if you have practices in place, you might think you're safe" from file-sharing, said O'Halloran. "But what we saw was that although everyone nods their head, [defense] is not happening." Only in firms in highly secure fields, such as banking and finance, and in government agencies, did the survey notice a thorough policing of no-file-sharing policies.

He even wondered whether some IT workers really wanted to clamp down on file-sharing. "The ghost in the machine may well be the source of the problem," he said.

To combat file-sharing, AssetMetrix is making its P2P-Tracker available at no charge to companies that register at its Web site. P2p-Tracker, a subset of the company's asset discovery and monitoring service, will sniff out file-sharing applications, as well as any associated malware, and produce reports that administrators can sift through to spot enterprise PCs that have the software installed.