Sticking security where the sun don't shine

computer security

COMMENT: I was somewhat saddened to learn that security vendor Sophos had purchased a job lot of USB sticks from a lost property auction and discovered that security is still not a priority for, well, pretty much anyone it seems.

OK, first things first, let's get the fact that the lost property auction in question was in Australia and the sticks in question were lost on a public transport system. I mention this as you may argue that there's a huge difference between the average consumer approach to securing data on these thumb-drives and the average enterprise-level security strategy employed. My response is, sadly, far too many enterprise employees are carrying, and losing, such devices complete with unencrypted data for me to agree with you.

Indeed, from the largest enterprises - NHS data disasters anyone? - to the smallest of SMEs, when it comes to USB thumb drives it would appear that security is being stuck where the sun doesn't shine.

Quite apart from the small point that nobody needs to be carrying data around in their pockets on a device so vulnerable to loss or theft when much more secure alternatives to transporting data exist to do so without encrypting that device, and the data upon it, is tantamount to ITSec suicide.

Despite all of that, the Sophos study found that 100 per cent of the 50 lost USB sticks it purchased through the auction system contained unencrypted data. What's more, the researchers also found that 66 per cent contained malware.

Now, given that many employees seem quite happy to throw a bit of data onto a thumb drive to take work home with them, either in breach of existing security policies or because no such security procedures relating to the transport of data via mobile devices exists, one has to assume that malware being introduced to the corporate network via such a device is a real possibility. Yet another reason why, I would suggest, it is time to start taking USB sticks very seriously indeed.

Whenever I am asked about the subject, I always return the same three questions:

1. What data are you thinking of moving around like this?

2. What encryption methods are you thinking of using?

3. What on earth are you thinking?

The last one usually catches people by surprise, as they often haven't considered that the very same employees thinking about dumping data insecurely onto a thumb drive have a smartphone in their pocket, or a netbook in their bag, which could happily connect to a very secure VPN and grab the data from there without creating the same huge potential security hole.

Sure, USB sticks are cheap but in terms of security they are also pretty nasty. I'd rather see them included in a list of NOT ALLOWED ITEMS in an acceptable use policy document and confiscated on sight if spotted in the workplace. I admit this is unlikely to happen, so it usually ends up coming back to question number two and exploring the lack of encryption.

But it isn't just the encryption, or lack of, that's a problem. The management of these devices is also at fault. If your employees are going to use thumb drives no matter what, and sometimes it pays to be practical about such things, then much better they do so with your approval and under your control. By which I mean some kind of system which enables central management of the devices in terms of device auditing and data encryption as well as the ability to remotely wipe them clean of all data if lost or stolen.

If you are a large enterprise (other than the NHS, experience would suggest) then you probably already have something capable of doing this, and if not then you will surely have the budget to buy one in. At the smaller end of the enterprise equation, where the USB stick problem is most obvious, cost is an issue that is always thrown in my face when talking about security. Luckily, there are some reasonably low-cost solutions available which I have covered before for sister title PC Pro and are worth a look.

I'd still be happier if everyone took my stick it where the sun don't shine advice and did away with the problem of USB thumb drives altogether though...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.