Personal storage devices such as USB flash drives are more powerful than ever and have become ubiquitous in the enterprise environment. Originally designed for consumer use, these devices typically lack security, control and auxiliary management tools. Many employees don’t think twice about taking work home or out of the office on the personal thumb drive they purchased at a local center for office supplies. With millions of people carrying around personal storage devices, these gadgets are being used both innocently to increase productivity and for other less legitimate purposes such as smuggling information out of the enterprise.
Even when used with the best intentions, the data stored on USB drives is generally not covered by routine company procedures, such as backup, encryption, or asset management. How can companies keep track of the data coming in or leaving the company via these devices? Keeping company data secure has become a significant challenge for any corporate IT department.
Recent events in the industry have been cause for concern, leading IT professionals to understand that new policies and technologies must be set in place to protect information being stored on personal storage devices.
The following are just a few episodes that have driven the message home.
When a professor from the University of Kentucky discovered that his flash drive was stolen, private information for 6,500 former students was suddenly at risk. The data, including names, grades and Social Security numbers, left thousands of individuals exposed to the threat of identity theft, not to mention the violation of their privacy.
Flash drives with classified military information were up for sale at a bazaar outside Bagram, Afghanistan. The US Army realized they had to secure USB drives, find a way to keep track of the devices, and ensure that the information could not be accessed by unauthorized personnel.
When company information is stored on non-secure and personally owned devices, employees put their company at risk every time they step out the door. Auditing companies are at risk of exposing account numbers, hospitals can be exposed if patient information falls into the wrong hands, and finance companies need to ensure that mission critical data is not lost. Once company data falls into the wrong hands, the possibility of threats and risk are almost infinite. Companies lose credibility, leave themselves open to lawsuits, and expose employees to ID theft or fraud—just to name a few.
The risks from personal storage devices can be classified as follows:
- Data exposure due to device loss or theft
- Unauthorized data extraction
- Introduction of malicious code.
Enterprise Concerns Regarding the Vulnerability of USB Drives
With millions of USB storage devices in the marketplace, confidential company data is constantly on the move—and simultaneously at risk to loss or theft. The potential for damage caused by the loss of sensitive company data grows exponentially every day, underlining the need for proper security measures that cover these handy mobile storage devices. The following are some of the major security concerns related to the use of these devices:
- Data Leakage – To minimize the threat of data leakage, enterprises can start by limiting the use of USB drives to company-authorized devices.
- Regulatory Compliance – All organizations should ensure they comply with government and security regulations—such as SOX, HIPAA, GLB, California SB and FISMA—to minimize the risk of data loss. The first step is to set clear security policies, publicize among employees and enforced through use of technology that audits, tracks and backs up all information on mobile drives.
- Lost data and support costs – Despite security measures, data may be lost or stolen, leaving the organization in a position to minimize the damage done. Issuing company-authorized USB devices will enable the initiation of procedures to recover lost data and reduce the subsequent damage.
What can enterprises do to beef up security measures for personal storage devices? There are a number of hardware and software solutions used, ranging from data encryption to authentication, anti-virus protection, and other monitoring options.
There are a few solutions, such as blocked ports, encrypted storage devices and software encryption of data; however these solutions do not address all that is required to ensure a comprehensive secure solution for the majority of removable devices.
7 Steps to Securing Personal Storage Drives
The following steps will help your enterprise secure personal storage drives, both on and off the network.
1. Always define and publicize your company policy for personal storage devices.
2. Institute company-issued personal storage devices.
3. Make sure devices are fully encrypted.
4. Ensure that users cannot circumvent security measures.
5. Maintain an audit trail of data stored on devices.
6. Have the ability to recover data that resides on personal storage devices.
7. Make sure your enterprise solution is comprehensive enough to provide you with the ability to store information on secure USB drives, control the use of all removable devices both inside and outside the corporate environment, and centrally manage company-issued USB drives.
The value of portable storage devices in today’s business environment is clear. Equally clear is the initiative corporations must take to integrate these devices with their storage and security policies. By taking the right steps, today’s enterprises can secure their data by choosing the right technology that can both secure and monitor data, developing robust policies that protect company data to comply with regulations, and ensure the use of enterprise-ready personal storage devices.