ÐÇ¿Õ´«Ã½

When I last surfed the Internet in search of a USB memory stick, it was obvious that for just a few hundred pounds I could purchase a four gigabyte device no bigger than an ordinary pen. That’s a lot of information you can now carry in the palm of your hand.

Largely thanks to their data holding capacities, portability and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to visit one of the larger computer shows to be offered a free memory stick as an exhibition stand giveaway. If you were to take part in an IT security-related training course, you may well be given a memory stick with all of your computer course notes stored on it.

If you’re anything like myself, the advantages of using a small memory stick, Compact Flash card or the digital camera memory card are indeed enticing. Gone are the days when you have to lug your laptop around with you on every long journey, or on spells away from the office. Just attach a USB stick to your key ring and you can carry all the documents you could ever need without that cumbersome business computer forever being in your shadow.

Storage of corporate data

Removable media devices, then, are certainly a fantastic new addition to the constantly growing assortment of computer gadgetry that add convenience – even fun – to the way in which we work. But at what price? As removable media grow in popularity, more people are using them in the workplace to store corporate information. Documents, databases, graphics, music, even films and video can be tucked away on these highly portable devices. Yet the security implications and risks of removable media are considerable, and demand serious assessment from the security professional.

What happens, for example, if you lose your key ring which happens to have had attached to it a USB token containing all of your downloaded (and unprotected) corporate documents? You’re in luck, of course, if it’s picked up by an inquisitive passer-by who, after reading it, finds your information is of little interest. What happens, though, if the information is accessed by a criminal, journalist or competitor?

The entire contents of your PC could find its way into the public eye. Worse, you may be held to ransom by the opportunist looking to bribe you so as not to expose the information they’ve discovered concerning your company.

Perhaps most devastating of all, you may well find the entire contents of your bank account emptied or even have your identity stolen. These scenarios are very real indeed, and have the potential to be incredibly damaging – both to yourself and, ultimately, your employer.

As an IT security administrator, if you don’t have a handle on who’s using removable media in your organisation, you have no idea who’s downloading your intellectual property and other sensitive company information. You don’t know where it’s being taken, or the risks to which it’s being exposed.

The harm to your business posed by information loss isn’t simply financial or operational. You must also consider the legal liabilities of important data carried away on removable media. If a disgruntled employee decides to leak information on your customers, you could find that you’re in for a huge libel suit. Not to mention significant damage to the reputation of the business.

As an IT security administrator, if you don’t have a complete handle on who’s using removable media in your organisation, you’ll have no idea who’s downloading your intellectual property and other sensitive company information

Although tremendously useful due to their small size, various guises and capabilities, removable media devices can pose a serious security threat to any organisation. How, then, might you balance the benefits of these devices against the risks that they pose?

The ‘Five Steps to Security’

Step One involves the security policy. Removable media devices aren’t toys. Decide how the company as a whole is going to manage them. It would be naïve to think that you could simply ban all removable media. However, you should think about introducing removable media into your security policy and make sure every member of staff reads, understands and then signs that policy. In addition, explain to staff what action will be taken if the policy is ignored.

Step Two is all about education. Inform all company employees about security and its implications. Explain why certain controls must be put in place. Don’t merely impose those controls or users will ignore them.

In Step Three, take a look at encryption issues. Consider employing a mobile data protection product. Mandatory media encryption solutions are now available that may be centrally controlled by the IT department. The best products are both fast and transparent to the user, so as not to interfere with their real time work. Such protection automatically encrypts all information loaded on to a USB token or other removable media. Access is granted only to the user who holds the password.

Step Four centres on control. Implement device and executable control solutions that will enable you to control exactly what devices may be connected to a system, and what executable files can and cannot be run. Finally, in Step Five, you need to audit and measure. Ensure that you carry out regular audits to find out who’s using removable media.

In today’s somewhat complex digital world, nothing about security can be guaranteed. However, by following these few simple steps, you can mitigate your risk and show that you’ve taken adequate steps to do everything you can to protect the information that’s being carried around on removable media devices.

Once you do, you’ll be able to sleep at night. Safe in the knowledge that your company isn’t the next in line for public humiliation within the pages of the tabloid press for allowing sensitive information to leak out.