Threats from outside the network perimeter, such as from spam or viruses, have long been recognised as major security issues. But the growing use of mass storage devices (such as iPods and USB drives) in the office means that vast quantities of data can be copied and stolen from inside corporate networks more quickly and easily than ever before.
Recent high-profile security breaches have catapulted the issue of data theft high up the business agenda. Recent thefts of customer account details at credit card companies and high street banks are just two examples that have made the news in 2005. And with the Financial Services Authority (FSA) warning financial organisations that organised criminal gangs are infiltrating their business for the purpose of stealing data on demand, the situation is only going to get worse.
The recent case in the US where Chinese immigrants were initially accused by the FBI of stealing vital state defence secrets only to then have the charges lessened considerably, demonstrates all too clearly the difficulty of proving data theft after the fact. Allegedly, these men copied sensitive files including details of US warship technology onto a CD. In January, a similar accusation was thrown out of court in Los Angeles.
This lack of success in prosecuting alleged data theft cases suggests that once data has been stolen, it is too late. Not only have you lost vital information but it’s unlikely that you’ll be able to discipline the culprits.
Whether it is customer records as in the high street bank scenario or company intelligence such as new business plans, financial projections or salary details, your business could be put into jeopardy if small, undetectable storage devices were used to put this information into the wrong hands.
Given the difficulty of proving data theft and recapturing the information once it has left the office, it’s clear that organisations need to put preventative measures in place.
Taking preventative measures
One option is to take the military’s lead and impose a blanket ban on removable media devices, as it did with iPods. This tactic sounds good in theory but almost impossible to enforce. Another option is to lockdown the USB ports on employees’ machines. Again, it sounds good in theory, but as one bank found out to its cost, this approach cannot distinguish between dangerous storage media and harmless human interface devices – which meant their helpdesk was deluged with calls from users who could no longer use their mice or keyboards!
A USB drive, a PDA, or a smart phone could, arguably, be a vital ‘tool of the trade’ for a mobile sales person. However, total indiscriminate lockdown, where a company dictates that no removable media devices can be introduced to the network, is counter-productive and highly inefficient.
The dilemma is that you cannot live without them – a small number of employees will always have a legitimate reason for using some form of removable media device – yet they pose serious risks if not carefully controlled.
Five steps to mitigating the removable device risk
So how do you close down this major security loophole? The five steps below outline how you can ensure your organisation is adequately protected against the threats posed by removable devices:
Understand the risk
How many employees use portable media devices at work? How often do they connect those devices to the network? Firstly, you need to determine how removable devices are currently being used within your organisation. Some vendors, such as Centennial Software include free trial auditing software that can help you determine the risk to your organisation before you define and deploy your security policy.
Review the business requirements
For a minority of employees, using a PDA to keep track of appointments and contacts or taking a large Powerpoint presentation to a sales pitch on a USB drive are efficient ways to conduct business. However, connecting an iPod to the network and downloading music almost certainly is not. The key is to determine what constitutes a legitimate business need by a department or individual employee – whatever activity is not entirely necessary is an operational risk that needs to be addressed.
Create a removable device policy
Existing ‘acceptable use policies’ (AUPs) may provide some direction on how employees use portable media devices, but are unlikely to provide detailed or enforceable guidelines. AUPs need to be regularly revised to ensure they are current with the business’ attitude towards security. What’s more, employees must be aware of the policy through effective internal communication.
Enforce the policy
If there is no electronic enforcement of these written policies, human nature means that breaches will occur. While complete PC lockdown is a common method for protecting against USB security breaches, companies must be aware that blanket restrictions of a user’s access rights will dramatically impact productivity. Key points to bear in mind when assessing possible options for automating removable device management include ensuring protection against the use of Wi-Fi, Bluetooth and Infrared ports.
However, any tool for protecting against removable media devices must not impede staff from carrying out their daily responsibilities. Make sure your chosen solution allows different policies for different employees.
Educate, review and repeat
Don’t leave staff in the dark. Communicate that security software has been deployed to help enforce the acceptable use policy that has been established. Ideally, your chosen tool should be able to help employees understand the security measures in place and refer them to the appropriate parties if they have further questions. Once deployed, it is important to continue monitoring device connections to spot trends and ensure that the policy is consistent with the current perceived level of threat.
Even though internal security has been overlooked in many of today’s organisations, it is never too late to take action. Those companies that choose to ignore the threats posed by employee-facing network access points not only risk the loss of intellectual property, but more importantly, the company’s reputation.