Companies without appropriate controls to manage data on portable devices are leaving themselves "wide open" to security breaches and possible prosecution, a security expert told vnunet.com today.
Today's ultra-portable devices, such as smartphones and USB Flash memory sticks, can easily be stolen or lost, compromising sensitive data.
Security experts have been recommending for some time that encryption is used on such devices to protect the data.
Furthermore, U3 USB Flash memory sticks, which are able launch applications as soon as they are plugged into a PC, present new dangers to organisations.
The devices enable unauthorised applications and data to be introduced behind the firewall, and sensitive data to be copied to the sticks without leaving a trace.
Allowing users to connect unregistered devices to the network inside the firewall leaves companies vulnerable to everything from corporate espionage to the prosecution of directors for hosting inappropriate material on their network.
Andy Burton, chief executive at IT security specialist Centennial, said: "Ignorance is no longer a defence. You have to take control."
A recent spate of thefts from the US Department of Veteran Affairs, which resulted in the exposure of personal data of ex-military personnel, highlighted the dangers of sensitive data being compromised accidentally.
In another instance, military USB Flash memory sticks containing the personal data of currently serving personnel were found for sale in an Afghan bazaar.
The Veteran Affairs case involved a stolen laptop containing an unencrypted database of thousands of personal data records which an employee had copied from the network to work on at home.
Such errors can only be eliminated through a combination of sound security technology and user education on usage policy, and a regime of effective control over user privileges.
"I can synchronise my corporate-approved BlackBerry but not my iPod. I cannot use a random USB key brought in from home, only a corporate-approved one," explained Burton.
"The data transfer across the link is audited so that we know what data has left and where it has gone, and encryption is enforced so that the data is protected.
"If a user connects an unauthorised device, or tries to make an unauthorised action, the security system should flag it up and tell him why he can't do it."
Centennial has launched a bulletin board of security vulnerabilities related to U3 USB Flash memory sticks and other devices called Watch Your End.
Security consultants advise that an appropriate network usage policy should be communicated to all employees when they join the organisation as part of their terms and conditions of employment, and should be refreshed periodically.
Portable data menace goes unchecked
By Andrew Charlesworth on Sep 8, 2006 10:13AM