Banning iPods, USB keys and other portable storage media is not necessarily going to protect enterprise data, Sun Microsystems of Canada’s president said in response to a survey that showed 30 per cent of firms prohibiting the devices.
Sun released the results of the survey, which was conducted on its behalf by Ipsos-Reid, which showed at least 49 per cent of organizations at least creating policies to prevent portable storage devices from entering the workplace. This is despite the fact that 17 per cent of the more than 250 senior-level decision makers admitted they have a poor understanding of wireless and remote access to data, and only 32 per cent said their businesses were performing at an optimum level to prevent data thefts or attacks.
Andy Canham, president of Sun’s Markham, Ont.-based Canadian operation, said many companies are still grappling with the security issues around “old” technology such as laptops, let alone contending with iPods and USB keys.
“I don’t think banning them is necessarily the answer because I don’t think the problem is unique to one type of mobile technology,” he said, noting that data capacity is being squeezed into a number of unexpected devices. “If you look at many people in enterprises today, they’ve got cell phones, which also have a lot of storage.”
Brian McCarthy, vice-president of marketing at Centennial Software in Portland, Ore., agreed. Centennial makes Devicewall, a software product that can prevent a portable storage device from downloading data from a PC.
“With the different devices out there, it’s impossible to ban the device,” he said. “If someone is intent on doing harm – it could be a credit card device, somebody’s watch that holds a USB storage device – they’re going to do it.”
Canham said exposure to data theft hinges, in large part, on the way IT is managed throughout the company.
“If you’re looking and planning around things like identity management and exploring ways of understanding access to data, if you set up audit capabilities, those are the basics you need to have in place,” he said, adding that while security and privacy issues continue to rest with the CIO, the worry that customers will leave a company that suffers a breach is considerable. “That’s something that gets well beyond the CIO to a sales or even CEO’s office.”
According to the Ipsos-Reid survey, 72 per cent of respondents said they did not offer remote access to systems such as the corporate intranet due to security concerns. Dennis Szerszen, vice-president of marketing and corporate strategy at a company called Securewave which manages portable device access to IT systems, said those fears might increase once virus writers catch onto the trend.
“One of the biggest paths into the network will be smart malicious code that tries to embed itself into removable media as a means of transporting itself,” he said. Like Centennial, Securewave’s Sanctuary product is designed to prevent such incidents and McCarthy, therefore, doesn’t see a need for a ban.
“I want my employees to use their MP3 players. I know if I take that away from them, I’ll have a mass rebellion,” he said.
The Sun/Ipsos-Reid report said the majority of organizations, or 93 per cent, rely on user names and passwords as their primary source of data protection, and 92 per cent use firewalls as well.