As if CSOs don't have enough to worry about, the explosion of portable storage-based devices -- in the form of thumb drives, iPods, flash drives and others -- raises a whole host of issues.
Unfortunately, the writer of this Help Net Security piece -- who clearly has his heart in the right place -- doesn't do too much to calm the fears. He focuses on the dangers of USB-connected widgets and spends little time explaining what can be done. Of course, it's not his fault that solutions tend to come up a bit short.
The dangers are rampant. USB drives can smuggle proprietary data out of the office and bring malware in. The most frightening thing about these devices is that their portability makes firewalls largely meaningless. They are a wild card.
The writer does offer seven tips for ensuring the safety of mobile storage devices. Problem is, the assumptions behind most of the items is that the gadgets are company issue, or at least are devices of which IT is aware. This isn't always the case. For instance, maintaining an audit trail of data on portable corporate devices surely is a good idea. But it won't account for data that employees download into their own iPods.
We're not trying to pick on the story, which is a good one. The point is that two issues -- both deleterious to security -- are at play here. One simply is that the convenience and business advantages of mobility extract a price in reduced security. There's no way around it. Careful organizations can limit the risk, but not eliminate it.
The second issue is that iPods, digital cameras and memory sticks are simply an unknown for IT. A well managed IT staff will know how many corporate devices are in users' hands and the security status of each device: Is the anti virus software up to date? Is the data encrypted? Does the machine have an automatic wiping function? Does it have a firewall? There will be unknowns -- whether employees are using security software, for instance -- but at least IT will know what it is they don't know, so to speak. Not so with consumer electronics.
This isn't the case with iPods, digital cameras and memory sticks. They are unknown to IT. Certain steps, such as educating users, are useful. But the reality is that what an IT department doesn't know about employees' personal mobile devices can -- and often will -- hurt them.