One of things I like to see from employers is having heavy IT restrictions placed on staff. Go ahead and boo or hiss at me, after working 10 years in IT I am very used to it. Placing computer restrictions on staff isn’t about making people more productive during work hours (although people use it as a reason) but more to protect the company and the staff that has access to sensitive data.
For the moment I wont go into the pros & cons of rolling out IT restrictions in the work place but I do want to discuss the matter of using USB sticks, something I see as a major risk unless they are used correctly.
If you can loose a mobile phone or laptop then you can loose a USB stick
Some of the major data breaches reported across the world involves USB sticks, either lost by a member of staff or stolen. As our infrastructure manager, Aidan Finn, pointed out in a previous post you could use our service DataDefense to help encrypt the contents of the USB stick .
Recently it was reported in the UK that medical records of 6,360 prisoners were lost by a worker in the Central Lancashire Primary Care Trust when a USB stick that was being used as a backup device was misplaced. Even though the contents were encrypted the password needed to decrypt the files was also attached within the USB device, pointless!
- NEVER use a USB stick as a backup device, they are not designed for this purpose
- NEVER keep passwords together with protected data, there isn’t much point in using passwords if you do.
This is just a breif of why USB sticks come with risk and but its more common that a lost or stolen stick has no form of encryption as seen when the Bank of Ireland lost one of these devices.
Do you trust your employees?
Of course every company needs to place some form of trust with their employees but there comes a time when a line has to be drawn and some form of restrictions need to be implemented. If you are allowing employees to use USB sticks then you must trust them not to:
- Loose the USB stick containing sensitive data
- Accidentally or purposely copy a virus from the USB Key to a company PC
- Copy sensitive data to take to a new employer (common with sales people)
Its not that I don’t like USB Sticks but…
I’ve only given some brief reasons why I don’t like USB devices and I could probably give a lot more reasons as why I think these devices shouldn’t be allowed within company property but then that would be IT failing for me, for you and for every business. Companies need to use IT as a tool rather than having IT hold their business at randsom so if you are using USB devices such as the popular USB key then you and every employee need to know how they should be used and what risks they pose.
If you are using our DataDefense service you will have noticed passwords are not used for the encryption but more importantly the service is a lot more than simple encryption (to be discussed later).
Related posts:
