USBs : An Employees Dream--IT's Worst Nightmare
These dream devices are proving an absolute nightmare for IT managers as they struggle to ensure the data they carry is secure. A standard DVD-data-sized (4GB) key fob drive can be bought online for less than ten pounds and from high-street retailers for little more. Coupled with the fact that a growing number of mobile phones and MP3 players are now starting to reach this level of storage capacity - and come with standard or mini-USB connectors, and you begin to understand the scale of the problem.
"These dream devices are proving an absolute nightmare for IT managers as they struggle to ensure the data they carry is secure.”
- John Jefferies
One serious risk is that of being lost or stolen as highlighted in an annual national independent study conducted by Ponemon Institute into ‘Trends in Insider Compliance with Data Security Policies'. In its most recent study (published June 2009) it discovered that 43% of respondents admit to having lost or had stolen a portable data-bearing device. Another increasingly apparent issue is that of spreading viruses and malware. This was aptly illustrated by Ealing Council who revealed in September that it was forced to cut internet and phone links to preserve "core systems and data” when a worker plugged an infected memory stick into a computer in May 2009. The sophisticated virus spread rapidly, with further shutdowns required when the network was re-infected twice the next week, with all terminals having to be rebuilt or replaced. The Council is faced with a �501,000 bill for the emergency recovery and in lost revenue but it is feared the final cost could top �1.1 million if a new computer security system is needed. This is not an isolated incident and, in fact, was virtually the same as that suffered by Manchester City Council in February.
However, both of these risks can be counterbalanced by defining an effective IT security strategy. Here's how:
Step 1: Ban Staff Using Unprotected Sticks and Uncontrolled Devices
In the first instance, companies should bar staff using vanilla (i.e. unprotected) USB sticks onto company premises, or use them on work-at-home PCs if company data is involved.
Step 2: Give Them Something They Can Use
Employees want to use them so remove the allure of vanilla sticks and provide an authorized corporate secure USB storage device. Increased productivity should compensate for the initial outlay and using a pooling system will help keep a lid on costs. By definition secure means a USB stick with a degree of security intelligence built into it. This intelligence is quite benign and sensible, typically including on-board anti-malware and virus software - updated across the Internet each time the device gains access.
Step 3: Induction
If you don't already have a staff induction course, you need one, as all sorts of company legislation needs to be explained to new employees, as well as temporary workers from agencies. An important part of the process is to familiarise all employees of security policies. It is worth stating that any amendments to the security policy, and any other policies for that matter, should be communicated to existing employees with a method for tracking those that have been made aware of the change - ignorance shouldn't be used as a defence.
Step 4: Education versus Draconian
Rather than ‘because I said so', all mandates should include an educational element so as not to be viewed as a pointless exercise created by those who ‘don't understand how we work'. Explaining the reasoning behind rules will often gain employees support as they can follow the impetus behind the instruction rather than simply wishing to circumnavigate the obstruction.
Step 5: Identify What's Out There
It's vital to use on-network/IT resource technology that analyses new devices as they are hooked up to the company system and lock out any unauthorised device. No exceptions, even for the MD.
Step 6: Manage Centrally
All devices should be involved in a remote portable device scheme, whereby portable devices are updated with IT security policies and checked for general well-being as they connect to the company IT resource - directly, or across the Internet. A reputable IT security system will include the remote management and tracking of secure intelligent flash drives, and also include the ability to recover content, reset a password and re-deploy or destroy data on a device as and when required. It's often this remote control facility that proves a serious lifesaver for staff and management, as USB sticks and portable storage devices can throw a wobbly.
Step 7: Back Up
Finally, you'd be surprised how many people rely on these devices yet fail to take a back-up - even though their desktop or laptop PC is backed up automatically and regularly.
In an ideal world, all staff would understand the need for IT security, and backups for that matter, but life's too short, and some staff, let's face it, have other priorities in life. They - and we - are only human after all. This is where an effective IT Security Strategy that utilises automated security management of portable storage devices, as well as other on-network resources, is so critical. Good management software operates unobtrusively in the background.
We can't all be super-tech-savvy Tom Cruise in Mission Impossible, but we can use our IT resources sensibly and comply with best practice, without having to worry about it. That's what differentiates a good IT security strategy from an effective one.