To USB Or Not To USB

A US agency announced that they were going to give USB drives to its employees in order to mitigate against the risk of data loss and eliminated the use of unsanctioned USB storage. The USB keys have encryption and are password protected - so it all looks good. However, they seem to have missed out on a number of important issues… unless they have additional software based management in place then there is nothing to stop people from using their own devices. USB keys are frequently mislaid (which is why data loss is an issue) however, most people have more than one - ‘just in case’. Not all data is equal (when it comes to data loss) and so there needs to be policy based on content. If the information is sensitive, then it should be encrypted, if it isn’t then perhaps it doesn’t need to be encrypted. USB keys are most often used for transferring benign information such as presentations - by encrypting it and making it harder to share, people will look to at other ways to transfer the information.

The idea of company issued USB flash drives is not a new one - but remember to think through what people actually use them for rather than assuming it is always for sensitive information.

March 26, 2008 | Filed Under IT equipment, data-loss, security 

comments

Leave a Reply