Risks from removable devices

Tiny handheld devices now have memory capacities that dwarf computer disks of a decade ago. For example:

• A portable music player could store 60 gigabytes of data – enough to copy a typical hard disk.
• A thumb-sized memory stick can store 512 megabytes – enough for a personnel database and hundreds of Word documents. This is equivalent to 364 floppy disks.
• Many phones, PDAs, cameras can be connected to PCs with a cable or infra-red link and can be used to transfer computer data.
• Many computers have CD-ROM burners which can write 640 megabytes of data to a blank CD.
• With broadband internet connections, employees can email vast quantities of data out of the office without anyone knowing.

The risks are obvious:

• A salesman quits but takes your customer database with him.
• A corrupt employee sells private data to criminals.
• Industrial espionage.
• Sabotage or extortion.
• Even if such data transfer is legitimate, there is a risk that these devices could be lost or stolen.

Protect your data

There are a number of techniques that you can use to protect your data:

• In ultra-high security environments you can simply ban these devices, block up USB ports on computers so they can’t be plugged in and remove all floppy disk and CD drives. This is impractical in most situations.
• Conduct a risk analysis and look at the kind of information that is stored on the company network, who has access to it and what would happen if they were able to take it out of the building.
• Control access to the data.
• Compartmentalise people’s access to data on a need to know basis. Does everyone need full access to the customer database or accounts?  Can you give people more limited access?  For example, by using an access-controlled database rather than a spreadsheet?
• Have clear policies about what employees can do with confidential or business-critical data. Educate the workforce.
• Encrypt corporate data removed from network just like you would for information on a laptop.