Sony’s new memory sticks have riled the business world into banning them from use, Louise Murray asks why?
There is a new and convenient addition to the portable devices market. It fits in your pocket, holds a huge two gigabytes of data and can be instantly accessed from machines with USB ports. The problem? It poses an increasing security threat. In fact, USB flash drives or "memory sticks," (a Sony brand name), have elevated some company concerns high enough to actually ban their use.
Ray Wagner, Gartner's research director for information security strategies, describes the memory sticks as generally open volumes with no built-in security capabilities. According to John Madden, manager for the U.K.'s National Computing Center, "As an IRCA-registered information security auditor, several companies who are clients of LRQA (Lloyd's Register Quality Assurance) have reported security incidents involving memory sticks. The majority of them seem to be concerned with the ability of their employees to avoid the firewalls, and have therefore made changes to their info security policy to ban the use of them."
The technology does not require administrator privileges and cannot be managed using group policy, leaving wide the possibility for inadvertent or malicious misuse.
A recent case in the U.K. left health bosses in Lancashire facing awkward questions after medical records of 13 cancer patients found their way on to a portable memory stick, which was then repackaged and sold to a Crewe realty.
With the 1400 factor increase in memory capacity from the floppy disk, a USB flash drive can launch applications or take a copy of a company's entire database. Darwin L. Martinez, a vice president at National Business Group in Atlanta, says "Until manufacturers are able to develop some type of authentication facility and ensure inappropriate information is not available on these devices, they are a hazard. Right now, we are not reselling this type of technology – too many risks."
Short of banning the technology completely or locking out the USB interface, as Swiss Life U.K.'s security manager, Danny Hulligan, has done, the only way to secure the data kept on the sticks is through an outside control mechanism, such as auditing tools or centrally controlled data access. "Most enterprises choose to operate as if data on mobile devices (other than company-owned laptops) is all non-critical, requiring no protection," said Wagner. "This is rarely the case, as a recent story confirms, when the Blackberry bought on eBay for $16 was found to contain corporate data."
Louis Oley, managing director of U.K.-based host intrusion prevention company, SecureWave, says "Security officers are panicking. Banning memory sticks is a bit drastic and means companies are not taking advantage of the business benefits. We have solutions available [to lock down the USB port] to control the use of these devices."
"Memory sticks present no more of a risk than any other transferable data format," said Anne Skinner, product manager for digital imaging at Sony. "Companies and their employees need to be aware of secure and safe practice regarding viruses and data, then there shouldn't be a problem."
What are the risks in employing removable memory devices?
Confidentiality and security keep the working world in business. So, what happens when the two no longer work in harmony? The risks of mobile devices are: