Employees and their gadgets are now the biggest threat to IT security.
The acronym USB has become synonymous with anything that can be plugged into a personal computer, yet the proliferation of small, easy to hide, digital USB storage devices take the dangers of blurred boundaries between personal and corporate computing to a new level. Left unmanaged, these devices present a huge insider threat to the security of a company's data and IT systems.
Effective IT security has always involved more than simply putting up firewalls and keeping anti-virus software updated. But never before have there been such a variety of threats to network integrity. In addition to continuing to invest in perimeter security measures, the burgeoning threat of ever-larger portable storage devices that plug straight into a desktop PC needs to be dealt with now.
With analysts agreeing that 70 per cent of IT security attacks come from inside the organisation, it's obvious that these devices present a serious problem that many senior managers are simply not aware of.
Admittedly, not just anyone is allowed through the office door and into the working environment. Yet as we equip ourselves with the latest MP3 players, mobile phones, PDAs and games consoles to keep occupied on the daily commute to and from work, or are issued with these devices to enable better delivery of service to clients and colleagues, our own personal storage capability multiplies.
When you consider how often you plug a device into a computer, to innocently give it more charge for the journey home, or to transfer some photos from a colleague's wedding to share with the team, it becomes clear just how many computers a single device comes directly in contact with.
New threat on the horizon
Virus writers are finding it harder and harder to break down the virtual security door, so are turning their attention to walking through the front door. They are creating clever little programmes that do one of two things:
- Suck out files from a computer in order to gather data for fraudulent use
- Crawl onto a desktop to attack files or send information out of the building through an Internet connection
These tiny pieces of malware can cause untold damage and are just the start of what could be a flood of spyware and key loggers. A malicious program can easily be transmitted from device to computer and back to device when the remote storage device is attached to the corporate network.
The first challenge is recognising this threat. Probably the most striking way to realise its extent is to spend five minutes spotting pairs of white earphones walking through the office door and past security each and every morning.
The iPod and its multi-gigabyte hard drive may be common, but for every iPod there is at least one other MP3 player, digital camera or USB that may not be quite so easy to identify. Given that a 40 gigabyte iPod can hold one and a half million word documents, you can see the extent of the threat.
Common sense and the right technology
Banning all these devices is just not an option. The only way to be confident that the network and the data stored on it is protected, is to intelligently monitor and control all the different types of fixed and wireless connections available on today's computers.
Once the decision has been taken to control these connections, the IT department needs to work closely with the HR and operations teams to understand the variety of job roles and expectations of each employee. This will lead to clear definitions across all departments of each individual's technology needs at work. Setting permissions through a device management system is then quick and easy.
These settings should be assigned to individuals and not machines. That way the IT team, who need to interact with each and every PC, can continue to support all staff members.
Having recognised the endpoint security risks and gained an understanding of the differing needs across the organisation, a clear policy can then be set out for the entire business.
The "five steps to closing the internal security loophole" are:
- Understand endpoint security risks
Be clear as to the range of different devices that can present an internal security risk.
- Review business requirements
Take time to understand the needs of different departments and individuals.
- Create a removable device policy
Set out clearly what devices can be used and buy whom.
- Enforce the policy - Intelligent USB lock-down
Put the systems in place to actively manage all communications devices running on or connected to desktop PCs.
- Educate, review and repeat
Continually learn from the feedback the system provides to close loopholes and change individuals' settings where appropriate.
Getting staff buy-in can be difficult. Involving them in the process from start to finish is the only way to ensure that all understand the need for controlling portable devices and wireless access to PCs. Management must accept that music on the move and photography at any time are now part of our daily lives - these devices are now a commodity and no longer a luxury.
Conclusion
Intelligently locking down the connections to company computers will ensure that data theft is minimised and that malicious programs, whether intentional or not, are not introduced onto the network where they are free to infect other portable devices and proliferate wildly.
By taking an active and inclusive approach to managing the connections each company PC can make to portable devices, company-critical data becomes not only safer and easier to track, but IT systems are also afforded greater protection from the proliferation of malicious applications moving freely between removable portable storage devices and the corporate network end-point.