Why You Still Need Rules around Thumb Drives
In January, the University of Texas MD Anderson Cancer Center notified more than 3,500 patients that their confidential information may have been compromised because a researcher’s thumb drive had been lost.
In December, the loss of an unencrypted thumb drive led a New England dermatology practice to pay a $150,000 fine under HIPAA.
Last October a thumb drive was stolen, putting the names, birthdates, phone numbers and health information of hundreds of Denver elementary school students at risk.
While much has been written about the risks of data loss associated with cloud computing and mobile devices, the humble thumb drive has largely been forgotten. But these portable storage devices — small enough to attach to a key chain — are capable of storing scores or even hundreds of gigabytes of data. That makes them potential security nightmares.
What’s the Risk?
There’s no question that thumb drives offer a convenient way for users to keep a copy of critical files handy. Just slip the device into a USB port, drag and drop files, and then pocket the device again. What could be easier? The tradeoff for that convenience is security.
Viruses: Users could bring in infected documents from home, or take home a business document to an infected PC, update it, and return it to a corporate file server. Network administrators typically combat viruses by installing antivirus software on email servers and restricting Internet sites with firewall settings, but the use of USB flash drives can bypass these safeguards entirely.
Inappropriate and malicious files: Users could bring in unauthorized software, MP3 files, video clips, pornography and other inappropriate files that affect productivity and violate corporate policies. Even worse is the prospect of spyware or keystroke loggers that could enable someone to capture passwords or other sensitive information.
Data theft: These devices greatly increase the risk of data theft and corporate espionage. A disgruntled employee or contractor could copy client lists, sales forecasts or research data in a just a few minutes.
Data loss: Thumb drives open the door for data to fall into the wrong hands. Most of these devices have little or no security features. Anyone who finds a lost device may be able to access all the data on it. In addition, these devices can also be quickly stolen from a desk, or “borrowed” and later returned to the office once the data has been copied.
What You Should Do
Thumb drives are extremely difficult for network and storage administrators to manage. Short of disabling all of the USB ports in an environment, they are nearly impossible to defend against.
However, it would be a mistake for organizations to attempt to forbid the use of the devices. To do so — or to create a burdensome set of rules — will simply drive their use underground and remove any control the business may hope to have over them. Ultimately, these devices cannot be locked out, so they must be accommodated and managed.
To deal with the potential problems personal storage devices create, organizations should develop guidelines and rules for their use. This should include educating users about the risks these devices can present, and establishing policies for taking data out of the office, or bringing files in from home. Encryption should also be used to protect sensitive information, particularly in regulated industries such as healthcare and financial services.