The Threat of the Thumb Drive

By Courtney Macavinta

Just a few years ago, it would have seemed possible only in a James Bond movie for an entire computer's worth of data to be stored on a device smaller than a lipstick. Yet today, so-called thumb drives -- universal serial bus (USB) storage devices -- come no bigger than their namesake digit and are becoming ubiquitous in the workplace.

These devices, also known as memory sticks, can store up to 60 GB of data and enable employees to quickly swap and back up data, provide files to clients, or take work home without carting a laptop along for the ride.

Yet with the increased portability of thumb drives comes heightened security risks. For one, their small size makes them easy to lose -- or hide. Once files are dragged and dropped to a thumb drive, an employee can slip the device into his or her pocket and head out the door without the bulk of a CD or floppy disc. Thumb drives are joining a host of other devices, such as iPods, removable hard-drives, Zip drives, and mobile phones with USB storage capabilities that pose security risks for companies with sensitive data. These devices don't keep data as secure as when it's stored behind an enterprise firewall or encryption-protected network.

The vulnerability of thumb drives has been most exemplified among government agencies. The U. S. Department of Commerce, for one, reported that it lost 46 thumb drives containing sensitive Census data as of last September. In another case, three drives containing confidential information were also found by police at the home of a Los Alamos National Laboratory worker. Last year, the Department of Defense had to notify approximately 207, 570 enlisted Marines that a thumb drive containing personal records on those who served between 2001-2005 was lost.  

"These USB devices have become fashionable-they are made into necklaces and bracelets," says Joseph Martins, managing director of the Data Mobility Group. "You can walk out of your company with your 'bracelet' on and it really contains top-secret information."

Case in point: According to a September 2006 Forrester Research Inc. report, Consumer Technology In The Workplace: Blessing Or Curse? up to 90% of computer crimes are inside jobs. This creates a bigger problem for CIOs when the lost or stolen data is regulated and must be properly stored and protected. Here's how experts suggest that CIOs regard and rein in portable storage devices like thumb drives:

Step No. 1: Acknowledge the threat  CIOs must now add thumb drives to the list of devices that can add value to their organizations, but need to be governed by security policy and procedures. "People can stick thumb drives in their pocket, purse or eyeglass case," Martins notes. Data stored on thumb drives can also circumvent firewalls, anti-virus and anti-spyware software, and can be easily stolen or lost. Forrester advises that CIOs can stay on top of new devices and their subsequent security issues by nominating someone on the security team "to maintain a 'traffic light' system of the top ten consumer technologies -- green indicating very little security risk and red denoting a significant threat."

Step No. 2: Create a policy focused on your data  Any organization that allows portable storage devices or computers needs to develop a policy governing the devices. Furthermore, the policy should outline what kind of data can be stored on thumb drives. "For every piece of content produced, there should be policy about how to manage that content," Martins says. "The policy should be across all media and devices and the policy should be focused on the types of information that can be stored on them versus the mode of transportation."

Step No. 3: Educate employees  Forrester advises educating employees about the policy, why it's being implemented, the risks of these devices and what are permissible uses. "If possible, prompt users with security warnings when they are about to perform a potentially dangerous action," states the Consumer Technology in the Workplace report.

Step No. 4: Use encryption  In the case of the Commerce Department's lost thumb drives, the agency could at least take some solace in the fact that the data was encrypted. Martins says that it's essential to encrypt sensitive data that is stored on any device that comes and goes through a company's walls. "You should have that last line of defense -- render the data unusable to someone without the right authority," he says. A hacker might be able to break strong encryption, but most people will be unable to access data that is encrypted in case thumb drives containing sensitive files are accidentally lost or left behind.

At the end of the day, with the proper policies and security measures in place, the risks of devices like thumb drives can be lessened. An important component is to educate the people who are expected to comply with those policies. That said, there is always a risk when sensitive data can be accessed or removed from a company's secure domain.

"Legitimate use can enhance productivity and morale and save money," Forrester concludes. "The key here is to minimize the possibility of sensitive data leaking outside the company."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.