By Will Sturgeon, 13 July 2004 16:40
NEWS Businesses are failing to crack down on the use of removable memory devices within their organisation despite growing concern about the damage such media can cause.
iPods, digital cameras, flash memory devices, USB memory keys and CDs are just some of the devices which flow in and out of organisations with their employees on a daily basis and yet there are very few safeguards in place checking just what data is coming and going.
Whether it's viruses or illegal content being brought into the organisation or sensitive data being taken out - the picture is one of lax security and a failure to recognise and deal with a serious threat to a businesses' very existence.
Today the MoD announced it has banned iPods from entering Ministry premises and now research from Vanson Bourne has revealed the extent of the threat and the lack of awareness which dogs UK businesses.
According to the findings, 84 per cent of companies have no policies in place to prevent employees using any removable media. It's perhaps unsurprising therefore that 83 per cent of companies have been the victim of some form of electronic crime.
The research found that 85 per cent of employees use mobile media to transport data from work to home and vice versa - though knowledge of what that data consists of is very sketchy among management.
And the threats should be obvious to all. In fact, 82 per cent of companies surveyed acknowledged that removable media does pose a threat to their networks. Perhaps the clearest threat is that posed by malicious code which could be unknowingly, or wantonly, introduced.
Andy Campbell, MD of Reflex Magetics, who commissioned the research, told silicon.com: "There is a lot of malicious code bypassing company firewalls in this way and there are other threats to the business, such as illegal software or files such as MP3s, being moved onto the company network."
Companies are increasingly being held liable for all data on their network, so just because one rogue employee brings in a device full of illegal MP3 files and downloads them onto a work PC, it could be the business that suffers costly litigation.
Similarly illegal software on the network could also prove costly.
But it's not just what's coming into the organisation which should be of concern. The greater threat may actually be posed by what is leaving the company each day in a pocket or briefcase.
Campbell said a company's entire database could easily be taken out of the building on the kind of storage devices available now and for many companies "short of giving everybody a full body search there is not a lot they can do".
However, Campbell doesn't advocate banning all such devices or blocking their use - partly because it creates an 'us and them' culture across the organisation but also because there are often very valid operational reasons for keeping USB functionality working, for example.
Comments
There are 12 comments. Join the discussion
1. Mickael Behn
I see this article has popped up again in a different form. This is not new, none of this is new. I dont understand why it suddenly came out in the open with a "scary headline". I wonder sometimes if Security companies create the Scare culture they try to save us from. Everything is a danger and everyone is a danger. Lets just tape up every connection port on the computer and block every port and just allow word processing software... oh oh oh no... we now have a typewriter.
2. P Fretter
What a load of "scare-mongering". Is someone tryig to make a name for themselves by pointing out the obvious. Anyway, just how are memory sticks any more of a threat than floppy or zip disks were?
(Ed note. Storage capacity is one obvious area. Increasingly devices are coming with far higher storage capacities. Good luck stealing a company database on a floppy disk. A lot of this should be common sense, if it takes - in your opinion - 'scaremongering' to make it happen than that's perhaps not such a bad thing. We're not even convinced this is scaremongering.)
3. Marvin Willson
Hold On! Dont you class CD-R's and even Floppy disks as "Removable Media"? Paranoia is getting the better of some companies. Now everyone with an MP3/cd player is a threat. Cyber crime for the masses? Neo would be SOOO proud. Lets face it, if someone really wants to breach company premises with such devices, they WILL find a way so Mickael Behn maybe right. It appears the only way to eradicate such threats is a move back to thin client senarios..Come back Nixdorf ALL IS FORGIVEN!!!
4. anonymous
What about if the employee(s) copies information on a sheet of paper or photocopies some information, will paper be banned next ?
This really silly and a complete waste of time.
Next they will be wiping employee memorys so they don't know what they worked on and reload it in the morning when they arrive for work.
5. anonymous
As Mickael says, just another scare story from a Security company which just happens to sell a product which allows you to control access to these ports.
No wonder businesses are getting wary of the IT industry.
6. Bernice
What's new here Floppies have always been a security hazard introducing viruses and enabling data theft. Such devices are the same fortunately most machines no longer by default boot from them.
To a person with malicious intent wireless devices are much more fun.
7. Paul Mallett
Easy solution - don't have USB ports, or removable drives on sensitive networks. The you don't have to frisk people for this long list of devices at the door!
8. Michael Foggin
People comaparing memory sticks and the like to floppies and sheets of A4 are naive beyond comprehension.
I recently bought a 1GB SmartCard for a camera which would be more than enough to copy huge swathes of confidential company data onto. If a salesperson leaves and takes your marketing contacts list with them you'd be none to pleased; it's (intellectual property) theft pure and simple.
Companies are increasingly dependent on their data resources in order to succeed, small startups especially, and dismissing this serious threat as 'scaremongering' is a joke.
We do a lot outsourced work for major companies in sensitive areas like payroll and IT infrastructure. For me to be able to walk out of the building with several man years worth of source code or the home addresses and bank details of the employees of a multinational company on a 'key fob' is very, very serious and I suspect the nay-sayers would be up in arms if it was THEIR personal details I was walsking away with.
9. anonymous
Regarding the "Ed note" in the comment "What a load of "scare-mongering".
When floppies came out you COULD store the entire company database on them. Same with CD-R disks... etc. The removable storage devices of today are in essence the floppies of yesterday and infact don't hold as much proportionally to non-removable storage as floppies did in their hay day. I still have a 3 meg hard drive kicking around here somewhere....
10. anonymous
As sensitive company data has grown in size so has the media we use (memory sticks, cd's). I don't see why the security issue has been brought up in such a scare mongery way. As long as we have removable devices and printers the issue of people walking off with company confidential stuff is high.
If we look at the other side which no one seems to have made comments about. People bringing unappropriate things into a company. This has been happening for so long.
Removable devices are not the only way in. So many people these days have home networks and with a little jiggery pokery they are placing things on home servers. Then accessing them from work. So banning these devices from entering the company is not much use.
11. Vicky Rushin
Fair enough. I'll stop bringing my work home. :-)
12. Dave Fletcher
If a secure operating system was used on the desktop instead of XP, which so far as I know is designed to happily mount anything plugged into a USB port, the problem would not exist.
In order to use USB storage devices on my Linux machine I had to create a mount point and add the appropriate incantation to the fstab file, which can only be done whilst logged in as root.
No matter what Bill may try to make us believe, Linux IS the secure operating system.