USB flash drives, MP3 players and the like are everywhere nowadays. Giving your staff free rein to use them at work could lead to breaches of security and loss of data. We outline the risks and show how to minimize them.AnalysisBusinesses are increasingly putting themselves at risk by allowing the unauthorized and uncontrolled use of portable storage devices. We show which strategies and technologies organizations should adopt to manage them securely.What are the security concerns? The use of unauthorized portable storage devices poses many dangers, not least for the malicious code that they can introduce. High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world. This underlying vulnerability has existed since the release of Microsoft Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically. Portable devices include any kind of pocket-sized portable FireWire hard drive, like those from LaCie or Toshiba, or USB hard drive or keychain drive, such as M-Systems’ DiskOnKey. They also include disk-based MP3 players, such as Apple’s iPod, and digital cameras with smart media cards, memory sticks, compact flash and other memory media.The devices pose two kinds of threat.Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage.Companies are at risk of losing intellectual property and other critical corporate data. Portable storage devices are ideal for anyone intending to steal sensitive and valuable data. Employees may also be responsible for losing data if they inadvertently mislay these devices.The impact of the latter goes beyond the commercial value of the data for two reasons.There are different privacy laws in different countries. This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies’ reputations may be damaged as a consequence of information leaks. This is particularly the case for those operating in areas where client privacy must be preserved, such as the financial market.What are company requirements and strategies for deploying these devices in the workplace?Companies should forbid the use of uncontrolled, privately owned devices with corporate PCs. The prohibition should extend to employees, and external contractors with direct access to corporate networks. Portable storage devices can undoubtedly provide very good practical benefits to a company and its workforce. And, in many cases, it would be unpractical and counterproductive to ban their use outright. A controlled approach would be a safer option. This would involve adopting certain security measures in terms of overall organization (policy) and specific tools (technology).What are the best practices in managing these devices?These general security recommendations can apply to a whole range of portable storage devices.Adopt a suitable security policy on using portable storage devices Create a specific policy to help outline company guidelines on using portable storage devices by specifying if, and when, they can be used.Managers should advise on the main procedures to be followed for the eventual use of such devices; for instance, to confirm the need for password and security protection (encryption) of stored corporate data. This will also help mitigate risks from loss or theft.Make provision for training to increase awareness of the need for security in this area. A security-conscious workforce will be less likely to unwittingly leak sensitive information, by misplacing a storage device, for instance.Use tools to help manage port access of USBs and FireWire Adopt personal firewalls to limit what can be done on USB ports. Leading products to consider are from vendors like Sygate Technologies, Zone Labs and Symantec. Look at other products that can control ports selectively. SecureWave offers a host-based security solution, where administrators can create rules on the use of PCs to control applications and devices. This allows only authorized devices to be used and bars access to unauthorized ones.Use more traditional, host-based intrusion prevention products to assure compliance. This is a less straightforward process, but the system can be set to generate alerts when portable devices connect to a system. In this way, user activity is monitored so that individual access rights can be adhered to.Consider employing mobile data protection products to encrypt corporate or sensitive data. The Encrypting File System is a widely available product within Microsoft Windows operating system. Vendors like Pointsec Mobile Technologies, Information Security Corporation and PC Guardian Technologies offer alternative specialist solutions.Consider using digital rights management technology as part of a wider protection strategy for proprietary informationOn a broader level, and especially for those industries where intellectual property is of critical importance, the use of digital rights management software ensures the persistent protection of digital assets by maintaining constant control over their use and distribution. Vendors like Microsoft, Authentica, Liquid Machines and SealedMedia offer products that protect documents and files sent via e-mail, or are generally shared across the wide company network.As a general security best practice, managers should implement a desktop lockdown policy. They should also consider disabling universal plug and play, after pre-installing any desired drivers to permit the use of only authorized devices.Businesses must ensure that the right procedures and technologies are adopted to securely manage the use of portable storage devices like USB “keychain” drives. This will help to limit damage from malicious code, loss of proprietary information or intellectual property, and consequent lawsuits and loss of reputation.For more information on this and other security-related topics, including free research, visit gartner.com/security. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe