In an attempt to minimize sensitive data loss, IBM will try out a worldwide, company-wide ban on the use of removable portable storage devices such as USB sticks, SD cards, and flash drives.
The introduction of the new policy is scheduled for the end of May, and coincides – whether intentionally or not – with the General Data Protection Regulation (GDPR) becoming enforceable.
An expansion of an existing policy
According to The Register, some IBM departments have been banned from using these devices for a while now.
The company’s CISO Shamla Naidoo must be satisfied with the results of that partial ban, or she wouldn’t have expanded the policy to cover all departments.
Naidoo informed IBM employees about the new requirement via an advisory, and noted that the decision to implement it worldwide was made because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.”
Instead of portable storage drives, IBM employees are expected to use IBM’s cloud services for file syncing and data sharing.
Is a portable storage devices ban the way to go?
Such a policy seems a no-brainer at first glance, but security experts have pointed out a few problems with it.
Will it work well enough in practice, when portable audio recorders and other similarly helpful devices can function part-time as an USB drive? Should exceptions be made for those devices or not?
Is the alternative cloud syncing and storage option easy to use for everyone, and if it’s not, will the policy end up fueling the use of “shadow IT” alternatives?
Apparently, some of the IBM staff has already put forth some objections to the hard ban, and the company is considering introducing a number of exemptions.
Mandating the use of encryption for the removable storage devices in these cases seems like a wise and easy-to-implement decision.