Managing the risk from removable media

Corporate data has never been so insecure and the ease with which it can now be removed from your office is frightening. Magnus Ahlberg, managing director at security experts Pointsec, looks at how you can minimise the risk.

The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by super-floppies and zip drives. And now, even these formats are disappearing as the mobile data storage market evolves.

Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go on a training course and you may be given a memory stick with all your computer notes stored on it.

The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, its competitors have simply created large data stores with some built-in music software. And a growing number of people now view the MP3 player as both a data and entertainment tool.

The danger here is that, as an entertainment device, it falls below the business radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.

Here are some facts about corporate data:

  1. The average word-processing file is three pages long and between 25k and 30k. That means that a 20GB MP3 player could hold more than 750,000 documents

  2. The majority of corporate networks do not audit what data a user copies to a local machine or attached device

  3. 99% of those using mobile devices to transfer data use no encryption to protect that data

Preventing people bringing devices and media into the office is an extremely difficult problem. Look at the physical size of much of this media and it’s easily missed in a pocket, briefcase or handbag. Short of instituting an invasive and very workforce unfriendly search policy, keeping devices out of the company is virtually impossible.

The solution then, appears to be one of management. The first step here is to decide on what you can and cannot enforce. Remarkably, few companies actually realise how limited their powers actually are, especially with respect to current privacy and human rights legislation.

For example, preventing employees from bringing their MP3 player to work and then using it during lunchtime would require draconian terms of employment that would almost certainly be illegal. Companies that have tried similar experiments with regard to camera phones have found it hard to police and enforce.

What you can do, however, is ensure that all members of staff are aware that their employment does not allow the connection of non-company devices to their computers or other peripherals. This means banning people from downloading their photos to that nice colour printer and no swapping music with the person who sits next to you if that means connecting to the computer and using it as a transfer point.

Administrators need to create security solutions that log the amount of data that a user downloads. It is already acceptable to search an employee’s hard disk for illegal files, but few companies do this. Nightly sweeps of hardware to find MP3, WMA, JPG and other file extensions would seem a simple thing. Unfortunately, all of these formats have legitimate work uses and are often used by software packages for saving business files.

Remember, we are now in a world where almost every month a new piece of regulation over data protection and access appears. If you don’t sort this out now, the Office of the Information Commissioner – which is responsible for enforcing the data protection regulations – will simply fine you extensive amounts of money and you will still have the problem.

Comments are closed.