As the popularity of iPods continues to grow, those white bud earphones are almost as common in the workplace as they are on public transport. But in the time it takes to listen to one song, gigabytes of sensitive commercial material could be copied from the corporate network on to a digital music player.
iPods, iRivers and digital Walkmans are essentially high density data storage devices and can easily be used to transport almost any type of file – and with up to 60GB of storage, entire customer databases are not unrealistic.
And it’s not only music players that are the threat – digital cameras can be used as storage devices and tiny portable USB “keychain” storage devices are a hugely popular means of transferring data. The problem has hardly sprung up overnight – these devices have been around for years, as has plug-and-play support for USB and Firewire ports in Microsoft’s Windows.
But from being a largely geeky, complex and expensive option just a few years ago (remember Zip drives?), portable mass storage devices have become so common that your parents or your kids probably own one, and know how to use it.
“The difference now is huge volumes – you could carry flash memory around five years ago but they were 32MB, but you can put gigabytes in your pocket today,” says Antony Smyth, a partner at Ernst & Young’s information security group.
One risk is the transfer of viruses and other malware – whether intentional or not – while transferring songs, pictures, or other files for personal use. But by far the biggest concern is data theft.
“iPods have in fact become the tool of choice for fraudsters,” says Tracy Stretton, a consultant at Kroll Ontrack, which specialises in forensic data recovery. “They’re fairly innocuous, but they have the ability to download everything on the computer in a few seconds.”
Centennial Software, a UK vendor of IT asset management software, said its survey of 259 UK businesses in May found that 70 per cent of companies had acceptable use policies on using portable USB devices, but only 51 had technological barriers in place – despite the fact that more than half of IT managers surveyed used such devices at work on a daily basis.
However security is increasingly focused on internal threats. Statistics vary, but at least half of security breaches originate from inside the network. “Quite often it’s to do with mistakes or things that employees are not aware of,” says Ruggero Contu, an analyst at IT consultancy Gartner. “It may be that someone has downloaded the information for work, and maybe they lose it or misplace it.”
Mr Smyth says awareness of the risk is greatest in large organisations that rate their risk most highly. That includes those with highly sensitive data, such as government agencies and financial services companies, and call centre operators – who in addition to handling other companies’ sensitive data, are also bound by privacy regulations.
Their approaches vary, he says. One of Ernst & Young’s clients is disabling USB ports on all its computers, while another, which runs several call centres, retains the right to search data on any devices taken out of the building by staff or visitors.
But simply locking down every computer to prevent access via the USB or Firewire ports is not an attractive option for the many organisations whose staff rely on synchronising data with their PDAs, or using laptops, or countless other legitimate uses of portable storage.
There are software solutions offered by companies such as Centennial Software and Symantec’s recent acquisition, Sygate, that allow more specific control such as assigning different levels of USB privileges to individual users or user groups.
Another way of reducing the risk is only to allow use of USB storage devices that belong to the organisation and use encryption. Whatever the approach, it comes down to an issue familiar to any IT security manager. “Accepting that there’s a risk, and therefore getting the budget and the actions in someone’s pile of to-dos, takes a while,” says Mr Smyth.