Portable Media

Sometimes your biggest problems are little ones

Recent Articles

Careless Talk Costs Revenue India Makes Stready Progress Security Trends in Mobile Devices Cloud Computing Effects of Data Loss Information Theft Warning Signs Staff Vetting Portable Media Legal Developments

As more and more data is stored on memory sticks, phones and MP3 players, how can you stop confidential information falling into the wrong hands?

The risks posed by portable data devices have been around since the invention of the floppy disk 40 years ago. And, as each new advance brings an exponential growth in the amount of memory on tap, many organizations have been struggling to find ways to protect confidential data.

Some organizations briefly stemmed the tide by banning CD burners and locking the slots for additional hard disk and floppy disk drives. But with the advent of USB interfaces - particularly memory sticks - the threat level has leapt up again. After some embarrassing high-profile losses in previous years, the number of reported losses of portable media fell by around a third between 2008 and 2009 - although the figure is still up on 2007.

Memory sticks may be a life saver for anyone involved in presentations, sales pitches and complex projects, but they're proving a real headache for those responsible for data security. The average storage size of such devices doubles every two years, and with prices going in the opposite direction, the typical employee may well have a handful of them in his or her possession.

Apart from the risk of loss or theft, there are other ways that data can escape fortuitously. Most of us have at some time handed over a stick at a conference to download a presentation. Yet do we always consider that unrelated information already on the device could be downloaded without our knowledge? Some devices are even craftily designed to transmit data from your computer straight to the internet.

Keeping track of the actual data on USB sticks is well nigh impossible, as most users store information from multiple sources. And now, with the emergence of smart phones and even memory cards for digital cameras, the danger is multiplying.

The blurring of lines between personal and company media means that an employee may well have a lot of highly confidential data on one or more personal device. Consequently, attempts to forbid staff from carrying notebooks or laptops across borders are often rendered meaningless, as much of the content may already be on their phone or MP3 player.

Without doubt, the relentless march of technology will ensure that portable media continue to proliferate. So what measures can be taken to combat such risks? At the very least, organizations should make employees aware of the need to exercise extreme caution. Better still, companies should encrypt data files on each and every device that may contain any type of sensitive information. Such a move would strike a blow against those who would seek to profit illegally from your valuable intellectual property.

Portable media security recommendations

Here's how to enjoy the benefits of modern communications devices while reducing the security risks:

Enforce a clear user policy
. Allow only approved portable devices
. Restrict usage to employees with genuine business need
. Classify the type of information that can be stored and processed on portable devices
. Monitor and audit the use of such devices.

Make users aware
Communicate the policy to all users, explaining the rationale behind any restrictions. Make sure that all those involved in policing the policy fully understand their roles and responsibilities.

Keep a record
Know what devices you have and who's using them.

Restrict connections
Allow only approved devices to be connected to your system. That may involve locking USB ports. Restrict the types of files that can be run on portable media.

Central control
Deploy central controls so that missing devices (e.g. smart phones)
can be locked or disabled remotely.

Dispose of devices safely
If portable media are re-used or donated, this must be done securely. Alternatively, the devices should be destroyed.

Encryption
Centrally controlled encryption can ensure that devices such as USB sticks automatically encrypt information as soon as it is saved. Authentication Restrict access using safe passwords or two-factor authentication.

Digital rights management (DRM)
DRM technologies control use of digital content, wherever it is stored.

By Jörg Asma, KPMG in Germany (jasma@kpmg.com)

© 2012 KPMG International Cooperative ("KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.