Ask The Cyber Security Expert: Should I worry about removable media?
Cyber security advice is often jargon laden. We dislike jargon, and try our best to use plain english and actual words instead of acronyms. Today we’ve diverted the Cyber Security Expert away from his usual intellectual Sunday evening pursuits (watching Firefly repeatedly on Netflix) to demystify removable media.
What is removable media?
Removable media is just security expert speak for anything small and portable that can store data. Typically this can be a USB thumb drive, a writeable CD or DVD, a MP3 player, a mobile phone etc. The list these days is very long – many devices have the capability to store data.
Why should I worry about this?
‘Worry’ is too strong a word – ‘give some thought to’ sounds better. If you have staff using devices like this for storing work related information it is worth considering how these devices are used. Thumb drives and the like are widely used because they have a large data capacity and, as the name implies, can easily be carried around. However that also means they can be easily lost, and potentially lost with a large amount of your data on them.
Also, these convenient little devices can carry viruses! Because they get passed from machine to machine, they can pick up unpleasant infections, and bring them into your offices, bypassing your carefully considered network security.
Sounds unpleasant! What can I do?
If you expect your staff to use to removable media to move data around I’d recommend providing them with something appropriate and requiring it is only used for work purposes. Whatever the media is, ensure it gets virus scanned frequently.
In terms of protecting of data, make sure portable devices don’t hold more data than is required for their current purpose. Modern USB thumb drives have an enormous capacity, and are often chock full of assorted random files. Get your staff into the habit of deleting the contents once a transfer is complete.
You should consider encrypting any data on removable media. There are a number of ways to do this – you can buy commercial USB thumb drives that provide encryption. You can use specific encryption software, either commercial or open source (PGP for example).
Finally, and for most people probably more conveniently, you can use the built in encryption provided by other software. Microsoft Office 2007 and onwards provides good encryption as a built in function, for all documents types (Word, Excel etc) if required (some guidance here). The popular compression utility WinZip also provides strong encryption.
Encrypting might seem like a lot of hassle, but the above programs really make it simple, and the trade off is the lack of worry when a device carrying lots of private information is inevitably lost.
Will that ensure I’m secure?
As everything with security it’s not a guarantee. The above steps will help ensure the confidentiality of your data, and the integrity of your companies systems. Further steps for the more paranoid can include an approval process for recording data which is stored to removal medial, and ensuring it is deleted once the requirement is gone. Bare in mind the more arduous the process the more likely people are to get round it. Select a pragmatic approach that works for you and your organisation, keeping in mind what it is you are trying to protect. For most organisations the steps described above will describe approximately the right balance.
As always thanks for reading and please get in touch if you have questions.
The Cyber Security Expert