Businesses now chose to rely more heavily on digital devices that can be taken anywhere and used at any time. This means that businesses are now more frequently choosing to use portable storage devices too. Every mobile phone, tablet and computer has its own storage space which employees chose to use for reasons of convenience and efficiency. Often these devices might also be used in conjunction with more a traditional storage device such as a USB stick or CD; such devices are used for storage purposes only. These devices are often preferred by employees as they are simple to use and cost effective.
With a proliferation of portable devices it has become clear that there are a number of security risks and disadvantages associated with using such devices to store sensitive data.
These disadvantages include :
- Data loss through theft or human error
- Vulnerable to malware attacks
- Accidental data disclosure
- Low durability
Portable devices are small which means they are easier to lose and harder to find. An unlucky employee could leave a USB stick storing confidential company data on a train or in the park; this portable device could then be picked up and exploited by who ever happens to come across it. The American data security company Credant Technologies reported that over 12,500 portable devices on average get lost in taxis in London and New York every six months. USB sticks in particular tend to lack any distinctiveness which means an employee could also simply get the device confused with one of their own domestic devices. Put simply a device that is that small, storing that much important information is not safe outside the workplace.
That’s not to say that portable storage devices are always secure at work 100% of the time either. The universality of portable devices means that they can also be mixed up between different departments at work too. There is a risk that employees will pick up any old device and accidentally view information that they are not entitled to. Due to the fact that most offices are littered with them, most portable devices are never labelled nor organised correctly which can be confusing for employees.
Portable devices are often vulnerable to theft due to their size and worth. Most portable devices hold data that has not been encrypted which means once stolen the information on these devices is easily accessible. Some more expensive devices have encryption technology built into them eliminating the need for employees to download encryption software. However most standard office USB sticks will be without such safeguards and it will be up to employees to install them.
Hackers are constantly creating new software to be used in malware attacks, this includes attacks on portable storage devices such as smart phones. Often employees forget that USB sticks can be infected with malware too just like their computers; in fact hackers are able to rewrite the entire DNA of a USB stick using malware. Hackers are also able to use portable storage devices to download malware onto other devices; they are able to both host and transfer malicious software.
The most well-known example of portable storage devices being used in an attack was the Stuxnet case back in 2007. The U.S used the Stuxnet virus to wreak havoc on Iran’s nuclear programme by damaging the centrifuges that were enriching uranium using USB flash drives.
Portable devices are not known for their durability; indeed employees will have several different devices in their possession for this very reason. A hardrive might come to the end of its lifespan within just a few years of purchase so it will be necessary for any important data to be stored on another device otherwise an employee would be risking losing this data permanently. Although this can lead to further complications if that backup data is stored on similar portable devices. It could lead to employees having several copies of the same information lying around on their desk, all stored on very uniform looking devices. This means that if this information were to go missing an employee might not notice for some time.
It is therefore advisable that USB sticks and other portable devices are not used to store backup copies of data and indeed this backup data should ideally be stowed away in a separate location altogether to avoid information management chaos.[su_box title=”About Secure Data Management” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.