In-depth

Sticking security where the sun don't shine

Davey isn't a big fan of USB sticks. And, from a security standpoint, it's easy to see why.

computer security

COMMENT: I was somewhat saddened to learn that security vendor Sophos had purchased a job lot of USB sticks from a lost property auction and discovered that security is still not a priority for, well, pretty much anyone it seems.

OK, first things first, let's get the fact that the lost property auction in question was in Australia and the sticks in question were lost on a public transport system. I mention this as you may argue that there's a huge difference between the average consumer approach to securing data on these thumb-drives and the average enterprise-level security strategy employed. My response is, sadly, far too many enterprise employees are carrying, and losing, such devices complete with unencrypted data for me to agree with you.

Indeed, from the largest enterprises - NHS data disasters anyone? - to the smallest of SMEs, when it comes to USB thumb drives it would appear that security is being stuck where the sun doesn't shine.

Quite apart from the small point that nobody needs to be carrying data around in their pockets on a device so vulnerable to loss or theft when much more secure alternatives to transporting data exist to do so without encrypting that device, and the data upon it, is tantamount to ITSec suicide.

Despite all of that, the Sophos study found that 100 per cent of the 50 lost USB sticks it purchased through the auction system contained unencrypted data. What's more, the researchers also found that 66 per cent contained malware.

Now, given that many employees seem quite happy to throw a bit of data onto a thumb drive to take work home with them, either in breach of existing security policies or because no such security procedures relating to the transport of data via mobile devices exists, one has to assume that malware being introduced to the corporate network via such a device is a real possibility. Yet another reason why, I would suggest, it is time to start taking USB sticks very seriously indeed.

Whenever I am asked about the subject, I always return the same three questions:

1. What data are you thinking of moving around like this?

2. What encryption methods are you thinking of using?

3. What on earth are you thinking?

The last one usually catches people by surprise, as they often haven't considered that the very same employees thinking about dumping data insecurely onto a thumb drive have a smartphone in their pocket, or a netbook in their bag, which could happily connect to a very secure VPN and grab the data from there without creating the same huge potential security hole.

Sure, USB sticks are cheap but in terms of security they are also pretty nasty. I'd rather see them included in a list of NOT ALLOWED ITEMS in an acceptable use policy document and confiscated on sight if spotted in the workplace. I admit this is unlikely to happen, so it usually ends up coming back to question number two and exploring the lack of encryption.

But it isn't just the encryption, or lack of, that's a problem. The management of these devices is also at fault. If your employees are going to use thumb drives no matter what, and sometimes it pays to be practical about such things, then much better they do so with your approval and under your control. By which I mean some kind of system which enables central management of the devices in terms of device auditing and data encryption as well as the ability to remotely wipe them clean of all data if lost or stolen.

If you are a large enterprise (other than the NHS, experience would suggest) then you probably already have something capable of doing this, and if not then you will surely have the budget to buy one in. At the smaller end of the enterprise equation, where the USB stick problem is most obvious, cost is an issue that is always thrown in my face when talking about security. Luckily, there are some reasonably low-cost solutions available which I have covered before for sister title PC Pro and are worth a look.

I'd still be happier if everyone took my stick it where the sun don't shine advice and did away with the problem of USB thumb drives altogether though...

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
US fuel pipeline hackers reveal their motive
ransomware

US fuel pipeline hackers reveal their motive

11 May 2021
Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021
Virtual desktops and apps for dummies
Whitepaper

Virtual desktops and apps for dummies

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021