iPods And Memory Sticks: Are The Benefits Worth The Security Risks?
Few companies have taken steps to secure such devices, and some security vendors claim they can help.
Personal technology has a way of working its way into companies, often to the benefit of workers and the dread of IT staffers who deal with the fallout. USB-pluggable memory drives are one of the most-popular technologies creeping in lately, but the security risks may outweigh any benefits they provide to the workplace.
Most businesses aren't addressing the risk. More than half of companies take no steps to secure data held on devices such as iPods or USB memory sticks, according to a U.K. government-backed security survey released in April. One-third of companies tell staff not to use USB flash memory drives and sticks, but they rarely do anything to change the configuration of PCs and laptops to stop their use, according to the survey by the Department of Trade and Industry. Only 10% of the 1,000 companies interviewed for the survey encrypt the confidential data stored on these portable devices.
Security concerns about memory sticks and MP3 players have grown with their storage capacity. It's now often easier to download huge documents than to send them via E-mail, where they risk clogging the system.
The dangers of using portable storage technology were highlighted in April when the Los Angeles Times reported it bought stolen flash memory storage drives --containing classified U.S. military information and the names of allegedly corrupt Afghan officials--at bazaars in Afghanistan. The U.S. military declined to provide any information about the stolen drives or to confirm their content.
Tech vendors are only beginning to deliver tools to manage portable data. M-Systems last week introduced its mTrust Manager to help companies centrally manage removable storage drives by tying the use of a particular drive to an end user, so system-access privileges govern their use. MTrust Manager also lets IT admins perform remote password administration, create a database of what's stored on all the drives used by employees, and back up information stored on these devices. But it only works with drives from Kingston Technology and Verbatim. Other M-Systems tools allow encryption of data stored on USB-pluggable storage devices.
Can't Stop 'Em
Banning the devices is impractical for most companies. They store more data than can reasonably be attached to an E-mail and let users transport data to places where their networks don't reach, such as a PC borrowed for a conference presentation.
Other technology security providers have homed in on the need for better management and security of removable storage drives. Centennial Software in mid-April said it's giving the U.S. armed forces 25,000 free licenses of its DeviceWall endpoint security software to manage portable storage in networked environments, largely in response to the problems in Afghanistan. SecureWave has software for policy-based control of devices, and last week revealed a partnership with removable flash memory maker Lexar Media that resembles M-Systems' relationship with Kingston and Verbatim. And Safend this summer will release the latest version of its Protector software, which enforces removable storage device policy management and synchronizes with Active Directory.
Removable storage's worst-case scenario appears to have played out in Afghanistan, and tech vendors are rushing in with promises to keep it from happening elsewhere. Now companies need to acknowledge their exposure to this problem.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.