CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Strategies

The Threat of the Thumb Drive

By Courtney Macavinta

Just a few years ago, it would have seemed possible only in a James Bond movie for an entire computer's worth of data to be stored on a device smaller than a lipstick. Yet today, so-called thumb drives -- universal serial bus (USB) storage devices -- come no bigger than their namesake digit and are becoming ubiquitous in the workplace.

These devices, also known as memory sticks, can store up to 60 GB of data and enable employees to quickly swap and back up data, provide files to clients, or take work home without carting a laptop along for the ride.

Yet with the increased portability of thumb drives comes heightened security risks. For one, their small size makes them easy to lose -- or hide. Once files are dragged and dropped to a thumb drive, an employee can slip the device into his or her pocket and head out the door without the bulk of a CD or floppy disc. Thumb drives are joining a host of other devices, such as iPods, removable hard-drives, Zip drives, and mobile phones with USB storage capabilities that pose security risks for companies with sensitive data. These devices don't keep data as secure as when it's stored behind an enterprise firewall or encryption-protected network.

The vulnerability of thumb drives has been most exemplified among government agencies. The U. S. Department of Commerce, for one, reported that it lost 46 thumb drives containing sensitive Census data as of last September. In another case, three drives containing confidential information were also found by police at the home of a Los Alamos National Laboratory worker. Last year, the Department of Defense had to notify approximately 207, 570 enlisted Marines that a thumb drive containing personal records on those who served between 2001-2005 was lost.  

"These USB devices have become fashionable-they are made into necklaces and bracelets," says Joseph Martins, managing director of the Data Mobility Group. "You can walk out of your company with your 'bracelet' on and it really contains top-secret information."

Case in point: According to a September 2006 Forrester Research Inc. report, Consumer Technology In The Workplace: Blessing Or Curse? up to 90% of computer crimes are inside jobs. This creates a bigger problem for CIOs when the lost or stolen data is regulated and must be properly stored and protected. Here's how experts suggest that CIOs regard and rein in portable storage devices like thumb drives:

Step No. 1: Acknowledge the threat  CIOs must now add thumb drives to the list of devices that can add value to their organizations, but need to be governed by security policy and procedures. "People can stick thumb drives in their pocket, purse or eyeglass case," Martins notes. Data stored on thumb drives can also circumvent firewalls, anti-virus and anti-spyware software, and can be easily stolen or lost. Forrester advises that CIOs can stay on top of new devices and their subsequent security issues by nominating someone on the security team "to maintain a 'traffic light' system of the top ten consumer technologies -- green indicating very little security risk and red denoting a significant threat."

Step No. 2: Create a policy focused on your data  Any organization that allows portable storage devices or computers needs to develop a policy governing the devices. Furthermore, the policy should outline what kind of data can be stored on thumb drives. "For every piece of content produced, there should be policy about how to manage that content," Martins says. "The policy should be across all media and devices and the policy should be focused on the types of information that can be stored on them versus the mode of transportation."

Step No. 3: Educate employees  Forrester advises educating employees about the policy, why it's being implemented, the risks of these devices and what are permissible uses. "If possible, prompt users with security warnings when they are about to perform a potentially dangerous action," states the Consumer Technology in the Workplace report.

Step No. 4: Use encryption  In the case of the Commerce Department's lost thumb drives, the agency could at least take some solace in the fact that the data was encrypted. Martins says that it's essential to encrypt sensitive data that is stored on any device that comes and goes through a company's walls. "You should have that last line of defense -- render the data unusable to someone without the right authority," he says. A hacker might be able to break strong encryption, but most people will be unable to access data that is encrypted in case thumb drives containing sensitive files are accidentally lost or left behind.

At the end of the day, with the proper policies and security measures in place, the risks of devices like thumb drives can be lessened. An important component is to educate the people who are expected to comply with those policies. That said, there is always a risk when sensitive data can be accessed or removed from a company's secure domain.

"Legitimate use can enhance productivity and morale and save money," Forrester concludes. "The key here is to minimize the possibility of sensitive data leaking outside the company."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"These USB devices have become fashionable -- they are made into necklaces and bracelets."

--Joseph Martins, Managing Director, Data Mobility Group
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Patch Management and Security
Playtime: 9 min 28 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service