05/07/11

By Nick Cavalancia, Vice President, Windows Management at ScriptLogic

Small to medium sized businesses (SMEs) need to be more proactive and preventative in their approach to data loss. With the ever-improving advances in technology combined with a ‘relaxed’ office environment, employees are increasingly taking personal devices such as USB memory sticks, iPads, iPods and even smart phones into the workplace. These same devices can be used to remove or copy sensitive information whether it is to work remotely or more sinisterly for malicious intent and financial gain.

There are multiple outlets for data on the modern PC through USB and other peripheral ports. These ports can be used in many ways for extracting data at high speed, including removable hard drives and devices and is one of the most vulnerable ways for sensitive data to leave an organisation.

Establish policies to keep private data secure

It is evident, that the solution needs to be a compromise; strict policies need to be implemented by IT administrators for USB port usage, but on a more granular level.

Firstly, USB storage devices are actually a convenient and efficient way to legitimately transfer and transport data. Travelling workers, tech support staff, IT consultants, students, and many other users have valid reasons for carrying data on removable storage devices and therefore this becomes a major challenge for IT administrators to control without crippling productivity.

Secondly, organisations also need to put policies in place to prevent potential security breaches and data theft as a preventive method rather than waiting until the violation has occurred. A recent report in March this year on data breaches in the UK, showed that negligence, in which employees lose vital data on laptops, phones or USB sticks, accounted for 31% of cases. The report also highlighted that the average data breach costs UK firms about £1.9m annually.

The lockdown of USB devices, other removable storage devices, and communication mediums (such as Bluetooth, WiFi, and even Serial and Parallel ports) protects networks against malicious software attacks and prevents sensitive data from getting into the wrong hands. Microsoft Window’s built-in Group Policy provides an all-or-nothing lockout on USB storage. However, this method is not sufficient enough for many organisations that need more of a fine-grained approach over which devices and ports can be used, how they can be used, and who can use them.

Through third-party software, IT administrators have the power to be more granular when setting these security policies. Having granular control over each device type (for USB devices this includes serial numbers, product IDs and vendor IDs), organisations can limit access to specific device classes, and can also restrict “read” but not “write” for users of CDs and DVDs. When selecting a third-party solution, the ability to determine who on the network has permission to use certain devices based on their group, computer class, type of device or any other established factor should be easily achieved. Organisations should look for software solutions that can lock all possible avenues of data leakage, and put permissions and policies in place to control who has access to which files, where and when.

Despite best efforts, breaches still happen. Now what?

If appropriate security measures were in place, they could find out how an individual may have taken the data and whether it was by mistake or intentional. Centralised reporting will also allow administrators to see all attempts at restricted activities, including who attempted them, what type of activity, when and where.

In order to create a balance between employees and SME businesses, strong but flexible security practices surrounding removable media devices need to be put into place. Employee satisfaction is an important factor in running any successful company, but securing company assets is equally if not more vital. Having a high quality software solution that monitors and prohibits the use of removable storage devices is the only way to ensure that data is protected and the network is always secure.