Easy-to use flash USB drives are increasingly popular, but could cause serious security breaches.

Recent developments in the flash market mean that flash USB drives can now store a whopping 2GB of data.  This is the equivalent of about three times the storage space of a compact disk, or a pickup truck filled with books.  Combined with their ease of use, flexibility and small physical appearance, the devices are becoming increasingly popular with both the business and consumer user.

Farewell floppy, hello flash
At the time of writing, a basic 16MB USB drive can be purchased for the price of a snack, although you will pay considerably more for a 1GB drive with password protection, shock and vibration tolerance and a 3-year guarantee.  These prices are declining though as gradual advancements mean that flash is becoming larger in capacity yet smaller in size.

It does appear that the floppy disk's days are numbered and indeed many PCs and laptops now come without a floppy drive, but with a multitude of USB ports and CD or DVD writer.  USB flash drives are undoubtedly a useful, lightweight and cheap solution.  Where's the catch?

Risks to the business
From a corporate perspective, the use of USB flash drives opens the business up to a number of risks.  Some businesses may not be aware that an employee within the organisation was even using one.  Although there are limited cases where employees would use the device for illegal or malicious attacks, there are other 'innocent' threats that still could compromise valuable business information.

* Viruses could potentially be spread around the company network after being contracted via the flash drive which has been used on an offsite PC.  Good anti-virus measures should already be in place in every corporate environment.  But a review of policies and procedures regarding desktop AV should occur to ensure that removable drives are scanned, as well as local hard drives.

* The flip-side to that is that your network or an employee's laptop could hold a virus.  Downloading a presentation on to the Flash drive and taking it to your customers where you plug it in and then infect their networks could have disastrous effects on your company reputation and a possible loss of business.

* A huge concern is the potential for loss of sensitive data and corporate espionage.  It takes minutes to transfer huge files to a flash drive, so it wouldn't take long to transfer HR records, client lists, credit card information or valuable intellectual property.  The flash drives can easily fit in to pockets or bags making it simple to carry valuable data out of the building without anyone knowing.

* Even if sensitive data is legitimately copied to a flash drive, this could easily be lost or stolen due to the small size of the device.  Employees often copy data to work offsite but it could easily fall out of a pocket and in to the wrong hands. 

* Unwanted software, spyware and pornography could easily be copied from a flash drive onto the corporate network by a disgruntled employee or prankster, exposing the corporate network to a host of potential problems. 

* Many companies store installation copies of software on the corporate network to facilitate legitimate installations within the company.  With a flash drive, copies can be made with the minimum of fuss, even in a supposedly 'locked-down' environment where users do not have CD burners.  Users could then install software elsewhere, such as on their home PCs, and put the company in breach of license agreements.

Is device control software the answer?
In a word, no.  Device control software is software that by default denies access to any devices plugged into the PC, for instance flash drives, WiFi and bluetooth adapters, or CD-Rom drives.  Although you can control who uses the USB or FireWire ports by creating a 'white list' of devices or users, the USB port is a useful business device and should not be excluded completely from use.  Many types of legitimate USB devices could therefore not be used, such as printers, scanners, and even keyboards and mice!

The one fool-proof way for a business to take measures to protect itself is to ensure that appropriate IT policies and procedures are in place.

The flashy solution
Some businesses believe that this step is not strong enough and ineffective – however if you don't have any set policies and the business becomes vulnerable to problems, it is much harder to safeguard the company, and its directors in particular, against vicarious liability or even imprisonment.

Technological solutions such as any form of lock-down can lead to thoughts of mistrust between employee and employer which could have a negative affect on your business.

The key to ensuring success with policies and procedures is that you communicate their importance effectively to your workforce. Gaining the backing and input from the directors or senior managers of the business is critical when formulating and issuing IT policies and can often help influence employee opinion if it is seen to be coming from the top and supported throughout the organization rather from the one IT department.  If the management team understand their importance it will help maintain consistency when applying them across the company. 

Policies should always be backed up by disciplinary measures to show employees the importance of complying.  Unless you state what is acceptable your employees will not know that they are doing anything wrong.

It is important for a business to carry out a full audit of IT assets both electronically and through a physical 'walk round' all desks.  This may seem like a huge task but this means that you can monitor exactly what devices are where and easily detect if there are any unrecognized gadgets thereafter.

I suggest the following policies to protect businesses from the misuse of flash drives

* Only allow staff to use an authorized flash drive issued or purchased centrally by the IT department, so staff are still able to take advantage of the benefits of the technology but this minimizes the risks to your business if IT staff are able to monitor it in some way.

* Don't settle for second best.  When purchasing flash drives ensure it is a model that comes with security software that can be configured in some way.  Many devices allow users to create a secure area on the drive that is password-protected.  Some even include biometric security measures such as fingerprint readers.

* Provide user / administrator training to control their use.

* Ensure that users should keep a small amount of space unprotected, to store a plain-text file detailing how the device can be returned to your company if lost.

Conclusion
USB drives can prove to be a useful asset to the business – providing they are not misused.  The introduction of clear policies and procedures will mitigate the risks to your corporate data and is the most effective way of minimising any potential security threats without having to restrict the use of this effective technology.

Chris Minchin is membership manager at FAST Corporate Services.