|
USB - Used to Steal your Business?
This article poses questions, presents examples, and details research of security threats that could easily impact your business or organization.
DENVER — April 04, 2005 — Have you seen the movie Antitrust? In the movie, a software company's infrastructure is locked down so tight it makes Fort Knox look like a public park. Email and Internet access is constantly monitored, employee movement is tracked via security badge swipes, even personal activity by the employees is tracked by “big brother.” However, the way software code is eventually stolen is more simple than these complex security nets. An employee simply plugs in a USB memory stick into a computer, downloads private data, hides the USB stick in the bottom of a coffee mug, and walks right through the security checkpoint, taking gigabyte portions of the company with him in each nightly departure.
Every since the release of Windows 2000, users have enjoyed the convenience that comes with USB. Many of you probably use the widely popular USB memory sticks, sometimes referred to as flash drives, pen drives, cruzers, etc. This simple, cost effective device is a blessing for those of us wanting to take our files with us beyond the office, like to access our files from home or to carry an important Powerpoint presentation to another location without worrying about burning a CD or accessing the office private network.
Another rapid advancement in portable technology has been the advent of the PDA or smartphone, which allows us to carry our appointments, tasks, and contacts on a cell phone. New software can go beyond the standard synchronization, allowing files of all types to be transferred to the portable device.
But have you or your organization considered the negative aspects of these devices?
Accidents Happen
Have you considered what would happen if that portable storage device ended up in the wrong hands should you misplace it? Security breaches are not necessarily the result of intentional misconduct, but rather negligence or error. Loose your flash drive and every file on it is now available to whoever finds the device. How many files do you load to your flash drive? What percentage of those files contains private information?
According to a recent survey, the mobile device most likely to be left behind in Chicago taxicabs is the Pocket PC, with one driver finding 40 in his taxi in 6 months. The average individual might have customer contacts, calendar, and task information on the PDA. Others might have confidential files, personal data and passwords, and various other private intellectual property of the company's stored on the PDA, which is now accessible to any individual that finds the device. It's no longer simply an inconvenience to loose your cell phone and embarrassing when one of your contacts receives a call from the stranger who's found it. Instead, personal and business information, some of it very private, can easily fall into the wrong hands.
Often times a security breach can be caused by a well-intentioned employee who improperly handles sensitive data. However, good intentions are not excuses for the breach, and both the individual employee and the company could be held responsible for the breach.
No Accident
Switching gears from accident to fraud, what would you do if a malicious employee used a flash drive to steal information from your company, or even to give you unwanted data such as a virus? Gartner Research has confirmed in numerous reports that companies increasingly put themselves at risk by allowing the unauthorized and uncontrolled use of such storage gadgets. Even business that recognize the problem do very little to correct it. With these USB devices, you can easily plug straight into the computer and bypass the normal security systems and passwords in place.
Just ask Apple, who recently filed several lawsuits accusing insiders of leaking pre-released code of the newest Mac X operating system and the information regarding the newest music hardware device codenamed Asteroid. These incidents validate a Ponemon Institute survey of 163 Fortune 1000 companies that blamed 70 percent of all reported security breaches on insiders. Among the types of leaks suffered:
22% - involved customers' personal data
10% - involved workers' personal data
39% - involved disclosure of confidential business information
14% - involved leaked intellectual property, including software code
Consider how much data an individual might be able to take with a portable storage device. For $25, one can purchase a 128MB flash drive and slowly start stealing information. For $250, one can purchase an Apple iPod that looks like an innocent music player, but can also hold 20-60GB of regular file storage in it's internal hard drive and offers high-speed USB transfer capability. Years ago, it was a high concern when a sales person left the organization and took their personal relationship with their clients with them. Today, that same sales person can walk out the door with the entire customer and client database on a portable storage device in their pocket that also plays their favorite Beatles song through attached earphones.
Solution
Some organizations like the UK's Defense Ministry forbid the use of such devices altogether. Other organizations realize the utility in allowing personal storage devices for practical business use and simply hope that no negative consequences will occur (hopefully not your business). The approach you should take involves analyzing the situation, setting organizational policy, and utilizing software and hardware tools to enforce the policy.
Any security policy should deal with such portable devices, detailing guidelines on each type of devices and specifying if, and when, they can be used. Individuals should be trained on the specifics of the policy and made aware of what the security threats are and how to avoid them. And don't limit the policy only to employees, subcontractors, vendors and clients using your systems should also be considered.
To enforce the policy, specific tools should be implemented to manage the devices and conform to the policy. Personal firewalls can limit USB port usage while still allowing business critical hardware and software to access the port. Monitoring systems can generate alerts when unauthorized portable device access is detected. Encryption solutions can ensure that even when the security policy is adhered to, if a device is misplaced or lost, the information is useless to those who find the device.
Cephas Innovation has over 10 years consulting experience implementing IT Security policies and procedures with business both large and small. This article has posed questions and presented examples and research of security threats that could easily impact your business or organization. Whether you require help dealing with an existing threat, or want to develop effective safeguards against future problems, call upon our experience and dedication to ensuring your protection and well-being.
About Cephas Innovation
Cephas Innovation is a management and information technology consulting firm that combines Fortune 1000, enterprise-level experience and resources with an entrepreneurial delivery style to generate exceptional results for its clients. Founded in 1995, Cephas Innovation has worked with some of the fastest growing and most successful organizations in the world, including Avaya, Knova Software, LabOne, Qwest Communications, Research in Motion (Blackberry), SaskTel, Standard & Poor's, QLogic, and the US Golf Association. For more information about Cephas Innovation, visit www.cephasinnovation.com.
|
|
