The explosion in low cost, portable storage devices is revealing dangerous flaws in security policies leaving organisations wide open to the loss of vital corporate information and compliance failure, argues Ian McGurk, Head of Security Consulting at Plan-Net Services.
UK organisations have invested heavily in security solutions designed to mitigate the threat posed by the internet, yet they continue to ignore the dangers posed by the surge of low cost, portable storage devices from the memory stick to iPOD. There is growing evidence that employees are using these devices to systematically remove vital business and customer information from the organisation in a way that is completely untraced and untraceable.
They are also bypassing tight email and desktop security solutions by using these devices to share inappropriate material. Add in the dangers posed by introducing viruses via MP3 files and the potential copyright breaches arising from employees sharing music files, and organisations are in serious danger of breaching a multiplicity of regulations.
Most companies simply have not considered how vulnerable they are to the negative publicity associated with compromised information or compliance failure or what monetary loss could result from the leakage of confidential business information. But while these devices are endemic, their use can be controlled. So, will organisations become more aware and address this new corporate threat or, through inaction, continue to condone information theft and misuse, and leave themselves open to the consequences of lax security?
Data sharing
While the post-internet focus may have shifted technology investment dramatically towards protecting against external security threats, the dangers posed by the employee have always been significant. Indeed, surveys have consistently revealed that 80 per cent of security breaches are caused internally, by both accident and design. From the days of the floppy disk to the sales manager caught smuggling customer database printouts from the building, a percentage of employees have always been looking to gain commercial advantage from corporate data.
But the new generation of mobile storage devices has transformed the ease with which information can be stolen. These devices are small, simple to use and easy to conceal. They are plug and play, so no IT expertise is required and they plug in to every PC with a USB port. Indeed, with a 0.5 Gb memory stick retailing at less than £20, these tools are becoming standard for virtually every computer user. With the phenomenal numbers of iPODs, MP3 players and even the latest generation of mobile phones with in-built storage, the opportunities for simple, fast copying of information are unprecedented.
Implications
The implications for UK business are significant. From the sales director moving jobs swiftly downloading the full customer database to the junior production team sharing music files, often in breach of copyright, the potential business cost cannot be ignored. And that cost is growing, with anecdotal evidence suggesting incidence of information and system misuse via these devices is rapidly on the increase.
Employee risk
Despite the clearly growing threat, few organisations have any awareness of this issue. Yet even the most rapid assessment of how much sensitive corporate information is at risk of theft or corruption immediately highlights the ease with which an organisation can be compromised. Having spent a fortune on perimeter security, can organisations really justify their blind faith in employees, expecting them to behave sensibly and morally at all times? Or is it time to wake up to the dangers and impose real control?
A way to regain control would be to ban all mobile devices and disable the USB port. But in a commercial environment where remote working has become standard, the ease with which information can be stored, moved or shared via these devices is delivering real productivity benefits. Furthermore, the issue is not just about the mobile device plugged into the USB port. Controlling the printing of sensitive data or use of infrared devices is just as important. Organisations need to take a proactive approach to developing security policies that address not just the use of email and Internet but also mobile devices.
Regaining control
To support these new policies organisations need to implement technologies that can enforce control over the use of mobile devices. A key component of that control is the ability to audit all activity across all ports and devices, providing real visibility into employee activity. There are further actions that can be taken, such as imposing a copy limit per device, with each device linked to a specific user. By taking this approach, any user attempting to copy, for example, more than 20Mb in any 24 hour period, will raise a security alert.
Schedule access
Or, access can be scheduled – for example only allowing access when the user is offline and without access to sensitive or important data. This is particularly important with laptops, where the organisation may want to impose different policies dependent on whether the user is connected via the Virtual Private Network or a WiFi hotspot, for example. Further control can be achieved by taking audit copies every time a mobile device is used. With this approach, the organisation not only has a record of every time an individual uses a device but a complete copy of what has been saved. In this way, employees attempting to hide inappropriate content through innocent file naming can be identified and their activity proven.
Corporate value
Changing the security policy to embrace the use of mobile devices is an important first step – but it has little value without tools to enforce that policy, particularly given the implications for compliance to both data protection and industry-specific legislation. Robust audit and control tools will raise the alarm should any employee attempt to use the device outside the prescribed policies. Under the Data Protection Act, organisations must take reasonable measures to protect personal information. Combining the audit trail with the copy of what has been taken also provides organisations with more than enough proof to demonstrate to auditors or regulators that effective mechanisms have been put in place to support compliance requirements. Furthermore, organisations now have the evidence to prove an employee’s attempt to misuse information. And, especially in cases of attempted theft of information, they are more likely to go public, seeing real value in an ability to demonstrate the strength of information control.
Publicity
For those still leaking data and suffering information abuse as a result of inadequate security policies and poor control, any publicity is likely to be extremely negative and therefore unlikely to reach the public eye. As a result the majority of companies still have no realisation of just how vulnerable they are to information misuse that could not only undermine their competitive position but cause compliance failures and serious breaches of law – from copyright to employee harassment. These devices are now so prevalent that UK businesses cannot continue to ignore this threat.
