Removable storage is convenient, but it can be a security risk too.
Last week, tech website the Register reported that IBM had banned the use of removable storage devices for all its staff – citing security concerns as the main reason. Although already in place in parts of the business, it was said to be going company-wide with the policy, making all USB drives, flash disks and SD cards prohibited items in the workplace. It’s commonly known that portable storage media can be a security risk, thanks not only to the way they can spread malware but also due to people’s propensity for losing them while they’re filled with sensitive data. But is a thumb drive ban actually a good idea, and would it work for smaller businesses too?
Reasons And Limitations
As the Register reported, IBM announced the broadening of this policy via a company security advisory notice, written by Shamla Naidoo, the firm’s global chief information security officer. In it, she said the thumb drive ban was being extended because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” But she also admitted in the same advisory, it might be ““disruptive for some.”
In fact, according to the report:
“She’s not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches.”
Also critical of the measure was Salvatore Stolfo, writing on the CSO blog. Stolfo pointed out that ten years ago, the USA’s Department of Defense (DoD) did much the same thing, banning all removable, ‘flash-type’ drives on government computers, yet security breaches and leaks continued to occur. The sheer convenience of removable storage, it seems, is enticing enough to convince employees to flout the rules, and such a ban would not, of course, deter an insider from stealing data.
One suggested method for preventing the use of thumb drives is to fill USB ports with epoxy – a fairly drastic solution by anyone’s standards, and certainly not one that would make sense for the majority of businesses.
So rather than permanently cramming adhesives into expensive computer equipment, Stolfo’s answer to the thumb drive problem is to ‘beaconize’ all documents. This involves inserting a beacon into all your files, so any changes to them are tracked, and alerting you if they’re copied or moved outside of their original location. Instead of issuing a thumb drive ban, he says, file beacons are more effective and don’t make life difficult for employees.
Of course, not everyone has the time, budget or know-how to set up such a system, but a blanket ban on removable storage is never going to be 100% effective. Even IBM is aware of that; in an update to its original report, the Register wrote:
“Since publishing this story we've heard whispers that IBM has taken note of staff objections to the removable storage ban, especially when doing software updates, and is considering making a few exemptions.”
What about the cloud, you might wonder. Surely staff could share and download files from the internet instead? Indeed, they could, but then you run into the same kind of problems as with thumb drives: data can be leaked (deliberately or inadvertently), and sensitive information can still end up in the wrong hands. In some cases, it’s probably safer to use a flash drive to share data than it is to upload it to an online location to the same end.
Is A Thumb Drive Ban Right For You?
While a true blanket ban appears to be off the cards for IBM now, it’s still taking a hard stance on removable storage, and that’s a strategy that could work for other businesses too.
At a recent TMB event on GDPR, for example, we decided against giving out promotional USB drives to our guests. These would have been filled with useful information and marketing material, and although we could have guaranteed that our files would be safe, we felt it sent the wrong message regarding cyber security. Although thumb drives have their uses, it’s not a good idea to plug a new drive into a business computer if you don’t know what’s on it. If it’s from someone you trust, they’re unlikely to have knowingly loaded it with anything harmful, but there’s no way of knowing if they’ve put something on there accidentally that could damage your business.
Yet we haven’t banned thumb drives in our business. Our staff know not to plug in removable storage devices into their computers if they don’t know what’s on them, and they know not to put any sensitive, unencrypted data on them. And most of the time, our remote access tools and Office 365 mean we don’t need such storage to share our documents or work from home. But occasionally, USB drives can be useful, so when we need to use them, we’re free to do so.
Discouraging the use of portable storage might make sense, but trying to enforce a total thumb drive ban is going to be difficult to achieve and, ultimately, may be a waste of time. Instead, businesses should make sure all staff are aware of the dangers associated with removable storage, and they should know how to use them safely.
Is your business's cyber security up to scratch? Find out with a free security audit from TMB. Call 0333 900 9050 for more information.