Comment: USB sticks - An employees dream- IT’s worst nightmare

USB sticks can pose a serious information security risk.
USB sticks can pose a serious information security risk.

USB drives, or memory sticks as they are sometimes referred to, are immensely popular and increasingly selected as the weapon of choice by employees looking for flexibility of their working environment. Having proved invaluable in increasing productivity they are easy to use, regardless of the user’s technical ability, and able to carry millions of pages of data.

The scenarios where USB sticks bring benefits are numerous, for example working from home, working on location at a client site, those using multiple computers, when travelling they can provide a means to back up your laptop, transfer information between your portable devices, and sharing data with customers at conferences or exhibitions, to name just a few. However, a word to the wise - this productivity comes at a cost higher than the original price tag.

These dream USB devices are proving an absolute nightmare for IT managers as they struggle to ensure the security of the data they carry. A standard DVD-data-sized (4GB) key fob USB drive can be bought online for less than £10 and from high-street retailers for little more. Coupled with the fact that a growing number of mobile phones and MP3 players are now starting to reach this level of storage capacity - and come with standard or mini-USB connectors, and you begin to understand the scale of the informatio security problem.

One serious information security risk is that of the USB stick being lost or stolen as highlighted in an annual national independent study conducted by Ponemon Institute into Trends in Insider Compliance with Data Security Policies [pdf].

The study, published June 2009, discovered that 43% of respondents admit to having lost or had stolen a portable data-bearing device such as USB sticks. Another increasingly apparent information security issue is that of spreading viruses and malware.

This was aptly illustrated by Ealing Council who revealed in September that it was forced to cut internet and phone links to preserve “core systems and data” when a worker plugged an infected memory stick into a computer in May 2009. The sophisticated virus spread rapidly, with further shutdowns required when the network was re-infected twice the next week, with all terminals having to be rebuilt or replaced.

The Council is faced with a £501 000 bill for the emergency recovery and in lost revenue, but it is feared the final cost could top £1.1 million if a new computer security system is needed. This is not an isolated incident and, in fact, was virtually the same as that suffered by Manchester City Council in February.

However, both of these risks can be counterbalanced by defining an effective information security strategy. Here’s how:

  • Ban staff using unprotected USB sticks and uncontrolled devices: In the first instance, companies should bar staff using vanilla (i.e. unprotected) USB sticks onto company premises, or use them on work-at-home PCs if company data is involved.
  • Give them something they can use: Employees want to use USB devices so remove the allure of vanilla sticks and provide an authorised corporate secure USB storage device. Increased productivity should compensate for the initial outlay and using a pooling system will help keep a lid on costs. By definition secure means a USB stick with a degree of security intelligence built into it. This intelligence is quite benign and sensible, typically including on-board anti-malware and anti-virus software - updated across the internet each time the device gains access.
  • Induction: If you don't already have a staff induction course, you need one, as all sorts of company legislation needs to be explained to new employees, as well as temporary workers from agencies. An important part of the process is to familiarise all employees of information security policies. It is worth stating that any amendments to the information security policy, and any other policies for that matter, should be communicated to existing employees with a method for tracking those that have been made aware of the change - ignorance shouldn’t be used as a defence.
  • Education versus draconian: Rather than ‘because I said so’, all mandates should include an educational element so as not to be viewed as a pointless exercise created by those who ‘don’t understand how we work’. Explaining the reasoning behind information security rules will often gain employees support as they can follow the impetus behind the instruction rather than simply wishing to circumnavigate the obstruction.
  • Identify what’s out there: It's vital to use on-network / IT resource technology that analyses new devices as they are hooked up to the company system and lock out any unauthorised device. No exceptions, even for the MD.
  • Manage centrally: All USB devices should be involved in a remote portable device scheme, whereby portable devices are updated with information security policies and checked for general well-being as they connect to the company IT resource - directly, or across the internet. A reputable information security system will include the remote management and tracking of secure intelligent flash drives, and also include the ability to recover content, reset a password and re-deploy or destroy data on a device as and when required. It's often this remote control facility that proves a serious lifesaver for staff and management, as USB sticks and portable storage devices can throw a wobbly.
  • Backup: Finally, you'd be surprised how many people rely on these USB devices yet fail to take a back-up - even though their desktop or laptop PC is backed up automatically and regularly.

In an ideal world, all staff would understand the need for information security, and backups for that matter, but life’s too short, and some staff, let's face it, have other priorities in life. They - and we - are only human after all. This is where an effective IT security strategy that utilises automated security management of portable storage devices, as well as other on-network resources, is so critical. Good management software operates unobtrusively in the background.

We can't all be as super-tech-savvy as Tom Cruise in Mission Impossible, but we can use our IT resources sensibly and comply with best practice, without having to worry about it. That's what differentiates a good IT security strategy from an effective one.


Ironkey is exhibiting at Infosecurity Europe 2010, the No. 1 industry event in Europe held on 27 – 29 April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

IronKey's award-winning products and services combine the world's most secure flash drive with the world's most powerful USB management software. IronKey's USB flash drives bring the power of authentication, encryption, identity management and privacy to businesses and consumers in 23 countries. IronKey's management software and associated services allow enterprises of all sizes, government agencies, the military, and other organisations to take back control of the mobile data that has been leaking out of their organisations due to the uncontrolled proliferation of USB drives.

What’s hot on Infosecurity Magazine?