The Business Risk Of Removable Media

Many businesses use removable media devices as a quick and easy means of data storage and transfer. The nature of removable media devices means that they are not without their share of risks, however, with press reports and surveys bringing issues around the loss of devices and the consequences of transferring malware from machine to machine to the fore.

Part of the problem is that the convenience means the devices can find themselves being connected to a variety of essentially unknown and untrusted systems. If the temporary home is infected with malware then it may hop across, and get taken away as an added extra on the device.

And that, of course, is if the device is taken away in the first place – many end up being forgotten and left behind in machines. We certainly find it’s a common phenomenon amongst students in our university labs and (somewhat ironically) we have a growing collection of keys that were left in machines in our security lab.

So, the security issues around removable media can be linked directly to threats around both data loss and leakage, and malware infection. It’s also important that we don’t overlook the different guises in which the risk can exist. If we use the term ‘removable media’, many people will naturally think about USB keys, memory cards, and external hard drives, but content can also be copied to a variety of other devices including cameras, MP3 players, and of course smartphones and tablets.

Given the prevalence of the devices, it’s fair to ask what we’re doing to protect them (and indeed to protect against them). Unfortunately, the answer often appears to be not much. For example, PWC’s Information Security Breaches Survey 2012 suggests that only 58% of large organisations have a policy for mobile computing (small organisations were far behind at 27%) and only a third of respondents overall provided any training in relation to mobile device threats.

While guidance around removable media may still occur in other contexts, this still gives an indication of the relative immaturity of our behaviour around the routes that are enabling our data to go mobile – especially given that virtually all organisations will be using mobile devices in some form, even if they are not formally issuing them to staff themselves. Indeed, a proliferation of personal devices is now specifically embraced and encouraged by initiatives such as BYOD (Bring Your Own Device).

Giving these practices a label helps to make them sound more strategic, but that doesn’t by any means imply that they’re secure. In fact, organisations have less opportunity (and less authority) to ensure that these devices are well managed, and so may end up with a more varied and inherently less protected mobile fleet.

In terms of addressing the risks, a good starting point is to recognise that unless guided otherwise, staff are likely to be (a) using devices to hold a mixture of corporate and personal data and (b) unlikely to be giving a great deal of thought towards protection beyond trying their best not to lose them.

A good foundation is therefore to establish (and promote) a clear policy to users. Fundamentally, this needs to cover the circumstances in which it’s permitted to use the devices, what data can legitimately be stored on them, and the safeguards that ought to be followed. In terms of the latter, key considerations ought to be encrypted storage and malware protection.

In common with the position around policies, surveys suggest that relatively few users will be employing encryption by default (e.g. Ernst & Young’s 2011 Global Information Security Survey suggested that less than half of the respondents were doing so on mobile devices as a whole), and so this could usefully be advocated in order to support a data mobility policy. There are several ways in which protection can be provided, including via operating system features, third party tools, and (for USB keys) by getting encrypted media in the first place.

Similar safeguards can also be applied on other mobile devices such as smartphones and tablets, and here there are also opportunities for frontline authentication via PINs and passwords (and in some cases using biometrics such as face recognition). However, our own findings from survey work at Plymouth suggests that significantly less than half of users protect their phones in this way.

For malware, there are at least two levels at which protection ought to be considered. The first is on any target systems into which removable media may be connected, to ensure that they are not allowing malware to transfer in. The other is on the devices themselves, with smartphones and tablets now being increasingly prone to malware strains being written to target them (and which could add to the risk for data they hold).

Removable media should therefore be an entirely manageable risk – businesses are familiar with the devices and aware of the problems inherent in their use. What they must remember is that the threats from loss or malware infection are very real, and are issues that must be addressed by all organisations.

Steve Furnell is a Professor of Information Security & Network Research at the University of Plymouth in the U.K., as well as an adjunct professor with Edith Cowan University in Western Australia. He has been active in security-related research since 1992, with interests including security management, computer crime, user authentication, and security usability. In addition to being a senior member of the IEEE, professor Furnell is a Fellow and Branch Chair of the British Computer Society (BCS). He is also active as a UK representative in the International Federation for Information Processing (IFIP) working groups related to Information Security Management (of which he is the current chair) and Information Security Education.