IBM has reportedly banned its employees from using any kind of removable storage device while at work. The news was reported in online paper, The Register.
IBM's global chief information security offer Shamla Naidoo allegedly made the announcement explaining that “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBM isn’t the first workplace to ban this type of data transfer method.
All companies should be aware of the risks
The U.S. Department of Defense had a ban on removable storage devices for some time after the 2011 cyber intruder attack known as w32.agent.btz, the ban has since been lifted. The NSA also has policies on the use of removable storage, but from what is known about Edward Snowden’s leak those didn’t play out well.
The Register reports that parts of IBM’s operations already had a ban on portable drives but now that ban has extended to include all of its 350,000+ employees. IBM hasn’t released details as to why the ban is being implemented now.
When asked for comment Gizmodo reports that IBM responded saying: “we regularly review and enhance our security standards and practices to protect both IBM and our clients in an increasingly complex threat environment.” While there isn’t any information to suggest that IBM has experienced a breach of security relating to portable storage, their concerns aren’t unjustified.
There have been a series of security incidents involving flash drives from the novel to the downright terrifying. In 2008, a consultant for PA Consulting n the United Kingdom copied files containing records on all 84,000 prisoners in England and Wales onto a USB drive, which then got lost.
Human error often to blame
In 2006 a US-based Credit Union hired a private security investigator to test its security networks with an emphasis on the social engineering aspects of the system. The sneaky investigator dropped 20 Trojan carrying USB thumb drives in the Credit Union's parking lot.
According to his report, which you can read here, “of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers” within three days. It’s no wonder that large corporations like IBM have concerns.
Lost data amounts to big dollars
As well as putting people and companies at risk, lost data devices can also cost a lot of money. A 2011 survey of 400 organizations, found that combined, these businesses had lost 12,000 customer, consumer, and employee records because of missing USB sticks.
It went on to say that at an average cost of $214 a record, that total amounts of losses for the combined companies in the survey could be more than $2.5 million.
"While these devices may be small," the study said, "the data breaches that can result from lost or stolen USBs are huge. More than 70 percent of respondents in this study say that they are absolutely certain (47 percent) or believe that it was most likely (23 percent) that a data breach was caused by sensitive or confidential information contained on a missing USB drive."