"In many cases, it's an unrecognized security problem," says Jack Gold, founder of J. Gold Associates, an IT consulting firm in Northboro, Mass. "And it's not just flash drives. A lot of users have discovered that iPods make convenient backup devices."
But there can be huge consequences for IT departments that neglect the problem, Gold says. "Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device," he says. "And often, the company won't even know the employee has done it." The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines, according to Gold.
"The payback for doing a good job with security for these personal devices is preventing a US$10 million to $30 million company liability," Gold says.
Data Guardians
While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost.
At the less restrictive end of the spectrum is Children's Home Society of Florida (CHS), an adoption and family counseling agency in Winter Park.
"We deal with private medical information, and so it's been a long-standing problem," said CIO John Valleau. "Our employees have floppy disks, flash drives and iPods to which information can be transferred."
Although CHS has a "thou shalt not copy" policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn't about to ban them, because "some people might need to carry protected medical records from one location of ours to another." As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm's 210 offices around Florida.
Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.
"While personal storage devices haven't been a big problem for us, we need to be able to prove that we are protecting patient information," says Mark McGill, a network engineer who administers security for 900 workstations and 1,200 users at Ellis Hospital in Schenectady, N.Y.
"Many people have access to patients' Social Security numbers, personal information and diagnoses. So we toyed with banning flash drives and camera phones -- a double threat when the camera phones contain memory cards that can hold data -- but some people have a valid use for them," he explains. "And when we started to lock things down, the users screamed. One doctor said he couldn't give his PowerPoint presentation at another hospital."
McGill's solution was to install Sanctuary, a network monitoring product from SecureWave SA in Luxembourg that can restrict the use of personal storage devices based on a user's identity, individual PC workstations or the type of personal data device being connected to the network. Exceptions can be made for reasonable data- access requests, he says. However, the software can't protect against the use of a camera phone not connected to the network, so the hospital relies on a policy limiting where photos can be taken.
Network Lockdown
A more extreme approach was taken by Fabi Gower, vice president of information systems at Martin, Fletcher & Associates LP. The national health care staffing firm in Irving, Texas, has databases containing proprietary information about job candidates. Gower uses network-control software to limit both the type of content users can view and the time of day they can see it. Her company totally prohibits employees other than managers from copying data by limiting the network's ability to write to portable storage devices.
"I'm a strong proponent of having control over the security of the business, whether you've got two employees or 2,000," Gower says. "The way we've got the network set up, employees can't plug PDAs, smart phones, flash drives or USB hard drives into the network. So I couldn't care less what they carry in, because I know our data is not leaving the building."
But some company's data will get out, Gold predicts. "I have no doubt that, with all these portable memory devices in the workplace, there will be a federal privacy compliance breach in the next year. And it could be a huge liability."
Alexander is a freelance writer in Edina, Minn. Contact him at s_j_alexander@rocketmail.com.
SIDEBAR
How to stop the leaks
First line of defense: Establish a portable-device policy and educate users about it. Few companies ban the devices outright; 15 percent to 20 percent have usage polices.
Second line of defense: Implement network safeguards. Network management tools, used by less than 5 percent of corporations, can restrict network access by individual, workstation or type of device. Shutting down all Universal Serial Bus ports isn't practical because too many legitimate devices use them. Another alternative is to issue employees encrypted flash drives to protect the data in case the tiny devices get lost.
Third line of defense: Dismiss employees caught violating the portable-device rules. This can help you avoid potentially huge corporate liabilities for compromises of confidential data.
Source: Jack Gold, J. Gold Associates, Northboro, Mass.