USB flash devices, the small sticks used to store data, are becoming increasingly prevalent. Typically smaller than a pack of chewing gum and weighing around 15g, they can be easily carried in a pocket, hidden at the back of a PC or lost on the bus.
A 16 gigabyte USB flash device can currently be purchased new for under 20 GBP. To put this capacity in perspective, a typical MS Word document of 10 pages has a file size of approximately 60 kilobytes. This means you could potentially store up to 280,000 documents, or three million pages, on a single drive.
It is the affordability, portability and capacity of these devices that allows them to pose two major risks in the corporate workspace: intellectual property theft and client data loss. For malicious users, USB flash devices can even be loaded with software that seeks out and downloads information from a PC automatically, while even good intentioned users can expose their company to risk by simply losing a device loaded with sensitive data.
And once it is in the wrong hands, this data can be sold to the competition, leaked to the public, or even used to facilitate identity theft. In fact, the European Network and Information Security Agency recently estimated that organisations typically lose between 50,000 GBP and 1.3 million GBP for every security breach via a USB flash device.
One way to tackle this problem is to introduce an acceptable use policy. Such policies typically involve banning the use of all personal USB flash devices in the workplace. Employees who legitimately require them can then be provided with company-owned devices, with the serial number recorded against the employee’s name. Rules can then be imposed with regard to the type of data that is permitted to be stored on the device, the movement of the device outside the workplace, and the user’s responsibilities with regard to protecting the device against loss or theft.
Where Intellectual Property theft using a USB flash device is suspected, computer forensic analysis can reveal traces, known as ‘artefacts’, left by the device on the computer’s registry. These can include a record of the unique serial number of the device, as well as when it was connected, thus making it possible to link an unauthorised action with an individual device. Further, if the USB device itself is available for analysis, computer forensic analysis can also extract the drive’s history, which could reveal evidence of data downloads even if the user has attempted to ‘wipe’ the memory. In addition, there is also a range of software available that can be used to control and monitor the transfer of information to and from every device on a network, making it easier for organisations to detect and prevent unauthorised use.
If you still think that your workplace doesn’t need to control the use of USB flash devices, just think: How many confidential records could you fit on to a 16GB device? And how much would it cost your company in reputation, sales and clients if that information fell into the wrong hands?