Thought for the day : Is that a USB in your pocket?

A single USB stick can hold a wealth of data, but have companies realised the security risk these pose, asks Colin Beveridge.

Colin Beveridge  
A single USB stick can hold a wealth of data, but have companies realised the security risk these pose, asks Colin Beveridge.





I’ve been in this business for 25 years now and I can usually cope fairly well with the day-to-day issues of IT management, so long as I have a good team to support me, of course.

But for the first time in my IT career I have been losing sleep over technology, or more precisely over the misuse of technology.

And the culprit responsible for my incipient insomnia is the USB memory stick. There is no doubt whatsoever that if I could put just one piece of computer kit into the BBC’s Room 101, it would be the memory stick.

In the past 12 months, these very cheap and relatively high capacity storage devices have really taken off and wherever I go these days I find somebody using a memory stick as a convenient medium, either for launching a PowerPoint presentation, or for storing confidential data. Which is why I have lost some sleep over these gadgets.

I accidentally discovered that a USB memory stick had been misused to download a large wodge of highly sensitive and business-critical corporate data for private use - a very worrying situation for any IT director but doubly so for a business where information is the primary commercial asset.

My sleepless nights were spent wondering just how much data had quietly leaked through the door, how long it had been going on and how we could quickly close the gaps in our security.

In some respects we were lucky to discover and deal with this misuse fairly quickly, but it was entirely due to good fortune, rather than good management. For some inexplicable reason, we hadn’t taken the appropriate steps to counter the fairly obvious security threat posed by the convenient, and largely undetectable, misuse of a memory stick.

But I’ll bet a pound to a penny that we weren’t the only company which had ignored the USB memory stick threat.

Even though, for many years most organisations had religiously disabled the floppy drives on their corporate PCs, either by the use of physical contraptions, or through system software configuration, to prevent such “leakage” of data and/ or the introduction of “rogue” software.

I’ll also bet that right now there are terabytes and terabytes of very valuable and very sensitive corporate data being carried around the UK on lightweight USB memory sticks, much of it stored by the stick owners without any official sanction or knowledge. Which rather makes a total nonsense of other corporate security measures, such as photocopier copy protection.

So why don’t we readily recognise the potential commercial damage that we could suffer from these much more powerful removable memory devices?

A single USB stick can hold more data than hundreds of diskettes and is much easier to use. Huge data files can be saved to such sticks in the blink of an eye and then casually popped into a pocket, without anyone else realising what has happened.

Frightening isn’t it? Maybe there are many more IT directors and managers out there with sleep problems, looking for a way to deal with the security issues of data misuse behind the firewall.

For sure, we mustn’t get too paranoid about this but it is a genuine problem, albeit posed by a tiny minority of people.

We have to trust each other. But sadly there will always be somebody who abuses the general trust and, like many other aspects of IT security, we have a duty of care to put safeguards in place to deal with all of those “it will never happen to us” threats, no matter how remote we may gauge the possibility.

At the moment the only practical defence measure against the ubiquitous USB memory sticks seems to be adopting a universal policy of random PC audits to discover traces of inappropriate usage, which itself poses a number of serious privacy issues. Either that, or perhaps we should simply ban the use of USB sticks and laptop CD writers entirely.

Desperate measures indeed, but I honestly can’t see any other way of protecting our company data effectively.

Colin Beveridge is an independent consultant and leading commentator on technology management issues. He can be contacted at [email protected]

Read more on Privacy and data protection