How Companies are Attempting to Shore Up an Obvious Security Gap
3 Things this Blog Covers:
- IBM realizes that flash drives are risky
- The flash drive security gap
- Secure alternatives (that your employees will actually use)
Flash drives, thumb drives, pen drives, gig sticks, jump drives, disk keys, memory sticks.
Whatever you want to call them, these portable storage devices have been commonplace since 2000 – but so have attempts to control, regulate, and prohibit them. But like a never-ending game of whack-a-mole, USB storage devices pop up again and again in discussions around enterprise security. And that’s no coincidence.
Not too long ago, you could walk up to any booth at a trade show and, odds are, you’d be handed one of these complimentary “secure” flash drives plastered with some company’s branding. Small, transportable, and convenient, they were the standard for storing and transferring data.
But the days of using personal media storage devices at work appear to be coming to an end. And, notably, IBM has had a data security-related epiphany. The giant multinational technology company recently banned all employees from using USB flash drives for work related data sharing.
In this specific instance, we find a massive global organization changing its stripes through self-imposed regulation that impacts its 380,000 employees.
IBM global chief information security officer Shamla Naidoo says the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”
So that’s it. Problem solved, right? Everybody back to work. We’ve figure it out. Now that we’ve banned these devices, no one will ever use them again. Our data is finally…safe.
But not so fast.
The practice of banning thumb drives is fairly common, especially in regulated industries where employees and systems require the frequent handling of sensitive personal data. However, surprise, surprise, data leaks still happen, and data breach settlements aren’t unheard of.
So, if banning doesn’t work, what is the solution?
What it all comes down to is security.
Now, we’re not calling for the total eradication of supposedly secure flash drives. Devices of this kind are far from useless. After all, these handy devices continue to offer some legitimate purposes – for personal reasons. On the other hand, where the need to store, share, or act on sensitive customer data exists, for organizations big and small, there are no longer any valid reasons to use these devices for anything work-related.
Two reasons USB flash drives aren’t secure
Regardless of whether sensitive data, documents or files are compromised, it’s the matter that the very nature of thumb drives puts PCI, PHI, and other types of sensitive personal and corporate data at unnecessary risk. Thereby – and this cannot be understated – the company’s brand, reputation, and public/business trust are also put at risk.
1. Easy to use, but easy to lose: The very reasons that make flash drives so convenient – they are small, portable, and make it easy to transfer data from one device to another – are precisely what makes them unsecure for sensitive or private data adding unnecessary risk to the business.
2. Lack of encryption: Besides the fact that thumb drives can be effortlessly misplaced, the portable devices come with other security vulnerabilities. Encrypting data may require the user to perform an extra step. So, rest assured, there are many people who just never bother. When encryption is absent, malware infections can reprogram a flash drive to steal data and/or overwrite firmware to take control of any device. So the next time you find a random USB memory stick laying around, think twice before inserting it into any of your personal or company devices.
Surprisingly, though, many “secure” industries – spanning from healthcare to education – still deal with breaches due to simply misplacing personal devices including thumb drives.
Over the last several years, hospitals in Massachusetts, Ohio, and South Carolina, for example, have lost a flash drives, compromising patient names, Social Security numbers, home addresses, lab testing codes, and slide identification numbers. In other cases, data breaches could lead to HIPAA sanctions. A mental health facility in Alaska found that out the hard way after their organization was hit with a $150,000 fine for not taking the proper steps to assure the security of patient data.
In one incident on the education front, a lost thumb drive compromised the data of more than 21,000 students in the Boston Public School system. The exposed dataset included student names, ages, grades, ID numbers, where individuals attended school, and even ID photos. What constituted a nightmare for BPS and the victims impacted by the data breach was traced back to a simple case of a lost memory stick – misplaced in transit between school officials and a district vendor.
Real solutions to the flash drive security gap
To address the business security issue caused by flash drives, let’s first talk about the people problem.
The aforementioned healthcare and education examples share a commonality – human nature. In both cases, the security issue is not tied to malicious actors. There is no hint of deliberate corporate espionage. No one tries to lose a thumb drive in the back of a taxi or forget a solid-state drive (SSD) at the bar after a long day in the office.
As for encryption, some people are lazy, don’t know how, or never considered this security measure. The simple fact that all humans is the reason these devices are banned in multiple industries, and it likely played a significant role in IBM’s recent decision as well.
If your organization is searching for a way to mitigate risk around data storage, sharing and collaboration, and the transmission of sensitive data across company lines, don’t worry. It’s 2018. There are plenty of alternatives to portable storage devices, which, as pointed out above, are more “easy to lose” than “easy to use.”
Here are three better solutions than using USB thumb drives, SD cards, external hard drives, or any other portable storage device:
Cloud file sharing:
What’s the biggest reason people still use portable storage devices? Ease of use, right? Well, the same can be said about cloud-based consumer file sharing services. If one thing can be said, of consumer-grade cloud file storage services, it’s that they make it easy for individuals to exchange files of pretty much any size or type. As a tool for the business, cloud file sharing applications present a viable alternative to carrying around an easy-to-lose device. Some of the benefits include the ability to:
- Access to files from multiple devices
- Safely back up files and folder
- Lock down data if a device is lost or stolen
- Recover of delete or mistakenly saved files
- Vary storage space
However, there are downsides to cloud-based file sharing services that cannot go undisclosed. According to a 2017 Ponemon and Metalogix Research survey of approximately 1400 cloud file sharing application users:
- 49% of respondents experiences file sharing service data breach in the past two years
- 79% of those surveyed felt that existing file sharing tools were deficient in their ability to protect against both a targeted breach or accidental exposure
- 68% say there is a critical lack of visibility to where sensitive data is being stored
Document collaboration tools:
Face-to-face team collaboration isn’t always possible nowadays. It’s not out of the ordinary for team members to be working remotely in different parts of the country, if not the world. And that’s where document collaboration tools allow remote coworkers to simultaneously work on, view, and edit documents on a shared platform without relying on constant email exchanges. However, much like cloud file sharing tools, the benefits need to be contextualized by the risks.
For one hour in 2017, a sophisticated and malicious phishing attack targeted users of the popular document collaboration solution, Google Docs. Although, Google was able to quickly address the breach and inform those affected by the attack, at least one million user email accounts and contact lists were exposed.
Enterprise file sharing:
Businesses of all types and sizes, including business-to-business (B2B), peer-to-business (P2B), business-to-peer (B2P), peer-to-peer (P2P), business-to-commerce (B2C), and commerce-to-business (C2B), need to share files of all types and sizes with customers and partners through complex modern ecosystems. Secure file sharing solutions allow these companies to control data while easily integrating with applications and enterprise solutions. The best file sharing solution should also offer:
- Deployment in public/private clouds or on-premise
- Significant control over where data is stored
- Administrative tooling to ensure visibility, control, and auditability across internal and external data sharing activities
- Secure file sharing without firewall reconfiguring
- Audit trail of file transfer activity
- Folder permissions with advanced access and control
- Scalability to meet any business needs
There may never be fool-proof way to fully prevent breached, compromised, or even scandalized data. But in this day in the digital age, there are smarter ways to go about securing and handling sensitive data. And relying on portable storage devices simply because of the convenience and availability just isn’t one of those ways.
Simply just banning thumb drives, pen drives, gig sticks, jump drives, disk keys, flash drives, and memory sticks from the workplace won’t cut it. To effectively mitigate the USB storage risk, organizations must intelligently couple increasing their internal employee regulations with a viable and superior alternative to sharing data.
Enterprise-grade file sharing solutions have the potential to not only close this security gap, but provide employees with a more versatile solution, enabling a broader set of sharing and collaboration use cases, and promoting efficiency gains as well.