You wouldn’t consider buying a laptop at your nearest consumer electronics store and bringing it into the office to work on, right? What about a RAID disk or a CD drive? – didn’t think so. Yet one device that nearly everyone buys privately and keeps in their pockets these days to store both their personal data and confidential corporate data is seldom controlled or secured by the corporation: USB flash drives.
The staggering growth of USB flash drives, from 5 million units sold worldwide in 2002 to 46 million units in 2004 (Source: Gartner), has left many IT departments at odds on how to best tackle this useful, yet potentially risky appliance. Some companies still opt to ban USB drives in their organizations, using anything from a simple policy and procedures to physically welding all USB ports. However, this approach is a short-term stop-gap measure, at best. Most companies, having realized the benefits of using USB flash drives and the fact that they are here to stay, are now looking for solutions to enable their secure deployment and usage.
Corporations should start regarding USB drives in the same way that they treat notebooks, blackberries and other mobile appliances – as company-controlled devices. This implies that these devices should be purchased by the company and configured to adhere to the company's security policy before being issued to employees. Furthermore, the company should be able to set and enforce a policy on non-company issued devices.
Employees using unsecured USB flash drives and other portable storage devices pose two serious and almost unrelated sets of risks, either unintentionally or deliberately.
Unintentionally, they subject companies to a myriad of risks related to the data stored on their devices when they use them on non-company controlled machines, and the potential introduction of malware when they plug the devices back into a network PC. Deliberately, employees can unlawfully extract data using mass storage devices. Both of these types of risks must be overcome for a secure deployment of USB flash drives.
Unintentionally, employees put their companies at risk the moment they step out of the office. A single misplaced or stolen USB drive can expose companies to severe regulatory and commercial implications. But problems do not stop here - plugging the device into a PC at home or at the business center introduces even more risks – viruses can infect sensitive files, spyware can capture sensitive data and even an innocent application such as a web browser can cache behind critical corporate data. In a recent AOL/National Cyber Security Alliance, 67% of home users either had no anti-virus protection or have not updated their protection within the past week. An average number of 93 spyware/adware programs were found on respondents' machines.
What should an IT manager be looking for in order to manage and control the security of these devices? Today there are numerous solutions from hardware to software to assist IT managers with identifying a solution. Some criteria to consider when identifying a solution could include high-grade encryption ensuring data protection. Drives that allow for secure remote access should also be considered, including 2-factor authentication and endpoint security technology that wipes cookies, temporary files, and leaves no traces of work behind so users can safely plug into non-company issued computers.
Companies have begun looking into enterprise-ready USB drives such as Xkey, which includes strong authentication and data encryption, as well as on-board anti-virus protection and other security applications to ensure that no unintended traces of work are left behind. Biometric USB flash drives, which require a fingerprint swipe in order to view their content, are also slowly gaining momentum in the enterprise environment.
Deliberately, employees can unlawfully extract data using mass storage devices. If the scene from Al Pacino's 2003 movie "The Recruit," in which a cleverly concealed USB drive was used to steal CIA secrets did not bring this risk into alarming focus, maybe Gartner's study dated July 2004 will. It cited portable storage devices are "ideal for anyone intending to steal sensitive and valuable data" and warned that they can be used to bypass perimeter defenses such as firewalls and antivirus protection at the mail server. Gartner unequivocally recommends that companies forbid the use of uncontrolled, privately owned devices with corporate PCs. Companies should examine software solutions such as Reflex-Magnetic's Disknet Pro or SecureWave's Sanctuary Device Control, that enable IT departments to monitor ports and specify which devices are allowed inside the organizations, while banning all others.
The value of portable storage devices in today's business environment is clear. Equally clear is the initiative corporations must take to integrate these devices with their storage and security policies. Federal regulations such as Sarbanes Oxley and HIPAA will not forgive the unmonitored and unsecured flow of confidential corporate information. With the help of these new secure USB products and applications, neither should you.
The Author is the Director of Marketing for M-Systems.