Later posts will explore the role of these flash drives in the spread of the Stuxnet virus that is purported to have caused major damage to Iran's nuclear capabilities, but the threat to small business can destroy them just as easily.
See the "Hello" post for an explanation of what this blog is all about. Click the navigation link at the right.
Please comment and let me know what you think of the articles and the purpose of the blog itself.
The pdf is at:
Managing Portable Storage in a Small Business Environment
MANAGING PORTABLE STORAGE SECURITY
Portable storage has been around since the very first
personal computers. The original portable storage was actually cassette tape.
This was soon replaced by the 5 ¼ floppy disks, with a whopping capacity of 360KB.
That’s 360,000 bytes. A single digital photograph today, even in its smallest
form, is larger than that. A 32 gigabyte “flash” drive, no larger than a pen,
can be purchased for $80. A 500GB portable hard drive, about the size of a
paperback book, can purchased for $120.
The purpose of this paper is to explore the explosive growth
in portable storage, the benefits and dangers of using them and how they can be
managed in a small business environment.
What is a Small Business?
For
the purposes of this paper, we will be considering very small businesses and
entrepreneurs. There are many definitions of small business, based on revenue
levels, or based on number of employees.
Here we are talking ‘very’ small business, sometimes called ‘Micro”
business. These businesses have fewer than 10 employees and the majority are individual
entrepreneurs, also known as nonemployers.
According to the US Census Bureau,
in a 2002 study, “About
three quarters of all U.S. business firms have no payroll. Most are
self-employed persons operating unincorporated businesses, and may or may not
be the owner's principal source of income. Because nonemployers account for
only about 3.4 percent of business receipts, they are not included in most
business statistics, for example, most reports from the Economic Census. Since
1997, however, nonemployers have grown faster than employer firms.” (US Census Bureau, 2003)
Of
the total of over 23 million firms in the US in 2002, there were 17,646,062
firms considered “nonemployers” . These are your classic, one person
entrepreneurial firms. In addition,
there were 3,706, 410 firms with fewer than 10 employees. This is the micro
business sector.
Growth of Portable Storage
As
was mentioned earlier, the first portable storage was cassette tape. This was
followed by floppy disks, CD’s, DVD’s, flash drives, and portable hard drives.
Capacity has grown exponentially. As each new media type is introduced the cost
of the previous type falls dramatically.
Costs
have fallen so rapidly that the media itself is disposable. A good example of
this is the use of rewritable CD’s (700mb)and then rewritable DVD’s (4.2gb) for
data backup. When first introduced, CD-R media was priced at over $2 per disc.
To save on disc costs, re-writable CD's were recommended on a rotation. These
discs could cost as much as twice as much as single write disc, but could be
reused several times. Backup processes were written with rotation schedules to
reuse these discs, as the most cost effective method. As writable DVD’s were
introduced for storage, CD prices dropped dramatically. CD-R's can now be had
for as little as $.12 each. Using
rewritables was no longer cost effective as it took more effort (and payroll
dollars) to manage the rotation then it was worth. The end of the rotation
scheme was changed to ‘destroy and dispose’.
It didn’t take very long for DVD’s to follow suit and now DVD-R’s are
only $.19 each.
USB ‘Flash’ drives are following suit in price declines,
although they are not a preferred backup medium. USB portable hard drives are
used for backup purposes and their cost per gigabyte, now as low as $.09/GB,
continues to decline as capacity continues to skyrocket.
Benefits of use
What are the benefits of portable storage? The obvious
answer is that it is portable. But portable is relative. The first portable
hard drives were the size of a brick, required external power and were
susceptible to vibration and the environment (heat). Today’s portable drives
are powered through the USB port on the host machine, are about the size of a
thin paperback book and have shock resistant mountings. CDs and DVDs can be
easily transported and stored in small spaces offsite, compared to data tapes. Even
more portable are USB “flash” drives. They provide convenient transfers and
allow employees to take their work anywhere. They are also good for convenient quick
backup and instant offsite storage. CDs and DVDs can be easily transported and
stored in small spaces offsite, compared to data tapes
Dangers of use
Many of the same factors that create the benefits of
portable storage create danger as well. The small physical size of these
devices, especially flash drives, make them easy to lose or steal. While
portable hard drives and backup disks (CDs or DVDs)
have similar dangers and
consequences and should not be ignored, the focus of the remainder of this
paper will be on USB Flash drives.
According to a white paper by Sandisk Corporation, “We are
in the midst of a data leakage epidemic:” “Data leaks most commonly occur when
employees take work with them on a laptop or a flash drive, only to lose the
device or have it stolen.” (SanDisk Corporation,
2008)
The
largest problem for small businesses is that they don’t know they have a
problem. Flash drives are so inexpensive, employees typically have a personal
drive they use for mixed purposes to carry business information home and to
keep the little league schedule on at the same time. This mixed use exposes the
business to the threat of transmitting viruses and malware from personal
machines at home to the machines at the office.
In
the same whitepaper, Sandisk lists the consequences of accidental and deliberate
data leaks.
·
Theft of intellectual
property, trade secrets, or proprietary information
·
Loss of confidential
business plans and road maps, resulting in the potential loss of sales or first
mover advantage
·
Failure to comply
with industry and federally mandated standards for data auditing and
safekeeping, such as Health Insurance Portability and Accountability Act
(HIPAA), the Gramm-Leach-Bliley Act (GLBA),
·
Sarbanes Oxley (SOX), the
PCI Data Security Standard, and Federal Information Processing Standards (FIPS)
·
Loss of employee data, possibly resulting in legal
liability
·
Potential criminal charges when data leaks violate
state or federal law
·
Irreparable damage to the organization’s public (SanDisk
Corporation, 2008)
Symantec’s Internet Security Threat Report
for 2008 showed “Although laptops and other storage devices, such as USB memory
keys, portable hard drives, and disks,
have become smaller, less
expensive, and easier to use, their compact size and larger storage capability
has increased the opportunity for theft, loss, or misplacement, as well as the
potential amount of information breached; a single DVD disk can contain
personal information on millions of people. In a recent survey, one in 10
people have lost a laptop, smart phone, or USB flash drive with corporate
information stored on it.” (Symantec
Corporation, 2009)
In a paper discussing the costs of
security for small business, Dennis Bliss lists a few assumptions about the
extent of the problem:
· Using
a conservative estimate of 40%, we can assume that 1,485,200 of
these
small businesses have networks which are connected to the
Internet.
Of these, we can further estimate that each of these networks
has
at least 2 devices (computers, printers, etc.). Upon mathematical
projection,
this establishes that there are nearly 3 million devices
connected
to the Internet by very small businesses which are potential
targets
of attacks.
· Many
of the computer systems used by these businesses are quickly
thrown
together in rudimentary networks and connected to broadband
Internet
connections, with little to no thought given to securing them.
· Due
to the relative newness of computer and networking technologies,
most
small business owners and their employees have a very limited
knowledge
of securing these networks.
· Funding
for computer and network security usually receives a low
priority
when ranked against other technical and non-technical small
business
needs. (Bliss, 2003)
While most small business
owners agree that their networks should be secure,
many of these managers feel
the task may be beyond their reach. Caught up
with the daily tasks of
trying to make their business successful, some simply cross their fingers and
hope for the best.
Each business is different and must assess
how critical data is.
·
Can the company afford to lose or give away your
client list or employee or accounting data?
·
Can the company afford the legal consequences of
data leakage?
·
Would the company be embarrassed by the
disclosure of your business plans?
Large corporations and medium sized
businesses have written policies regarding the use of portable storage
devices. In addition, they have technical know how to restrict the use of these
devices on company networks to protect critical data. Most
small businesses do not
have those capabilities. There are several lists of “Best Practices” regarding
portable storage or “Endpoint Security”. Endpoint security refers to security measures
necessary to protect devices on the fringe of company networks. The devices
that are exposed to outside forces and threats.
At least one of those suggests “Restricting
portable storage is a bit more difficult from a policy perspective yet easy
from a technology perspective. Many employees need use of portable storage for
normal job activities, such as a sales representative exchanging documentation
or transferring a presentation. Simply locking out portable storage (or
encrypting files) may not be acceptable” (Gartner,
Inc, 2006). This is especially true for small businesses. Each business owner
must access what level of security is acceptable and make an informed decision.
“The cost-benefit case for mobile devices depends solely on the value of
the corporate data at risk. Therefore, critical data must be inventoried and
the appropriate security solutions implemented” (Patricia Mayer Milligan, 2008)
So, how do they manage portable (or removable) storage in a
small business?
Awareness education
The first step in addressing
management of portable storage is being aware of the issues of using such
devices. Once management is aware and has agreed action is necessary, policies
need to be prepared and an education plan should be developed. Communications
in small businesses tend to be informal and information is often communicated
verbally. This however is one time when a written policy is necessary to
protect the data, the employees, and the company itself. Even if it is a sole
proprietorship, the policy should be
written out for protection in case of a legal challenge to data leakage.
In
regard to security awareness for Personal Computing Devices (PCDs), First Base
Technologies says “ users should be made aware of the security risks surrounding
using and carrying PCDs and external
memory;” (USB Flash drives) “They should be educated as to the value of data –
many personnel just don’t think about the value or significance of the data
they are carrying, if they did, they would probably instinctively take more
care.” (Barnes, 2003)
An article on the SANS reading
room website said “The primary objective of a security awareness program is to
educate users on their responsibility to help protect the confidentiality,
availability and integrity of their organization's information and information
assets. Information security is everyone’s responsibility, not just the IT
security department. It is critical that users understand not only on how to
protect the organization’s information, but why it is important to protect that
information. “People are
often the weakest link in a
security chain, because they are not trained or generally aware of what
security is all about. (Russel, 2002)
Another SANS Institute article said “The
properly trained user can provide a very strong first line of defense for any
network and usually provides the small business owner with the biggest bang for
the buck as far as defense methodologies go. Since they are working with the
network resources on a daily basis, they are in the best position to recognize
a potential attack and stop it in its tracks.” (Bliss,
2003)
Identify
To protect what you have, you have
to know what you have. The next step is to take inventory. Hopefully the
business know what computer equipment is on site, but desktop computers are
moved from employee to employee and then retired to the back room. A full
accounting of all computer equipment is necessary to begin a good security
assessment. The items of greatest concern are the items that are considered
portable. Laptops, portable hard drives, and company owned USB drives. This inventory
should include locations of backup storage, both onsite and offsite.
An
important point here is what company assets are being used. Employees should
also be asked what personal equipment they are using for business purposes. A
determination will have to be made regarding use of personal equipment later in
the process.
Developing Policies
This may be the most difficult part of the process. The
business owners must decide how much security they are willing to pay for. They
must be aware there are legal considerations to developing policy and some
level of security is required. New regulations are coming as well. If the
company does any government contract business, it is subject to additional
rules and regulations. In a recent announcement NextGov.com, a website covering
technology changes in government said “A federal interagency group responsible for data
encryption policy and acquisition efforts is considering changes to existing
technology contracts to incorporate tougher security requirements for removable
storage devices such as thumb drives and handheld devices, a Defense Department
program manager confirmed on Thursday. A list of approved removable storage
products that meet minimum security standards should be released to agencies
any day, according to a source in the federal information technology industry.
There are several
regulations that effect the storage and movement of data. Sharon Harris
provides the list below:
- Health Information Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
- Sarbanes-Oxley Act (SOX)
- SEC Rule 17a (Harris, 2006)
The policies developed need to
address usage of company equipment for business use as well as personal
equipment used for business purposes. There should be a notification procedure
in case of loss or theft. The procedure should encourage prompt reporting of
losses, and replacement drives should be available. There should be a reward,
rather than a punishment for reporting a missing drive promptly. Better to know
data is exposed than censure an employee for misplacing a drive. This is
subject to management discretion and multiple occurrences would have to be
dealt with individually.
Implementing policies
Personal USB drives should be
prohibited or severely restricted. Company owned drives with the proper
encryption and antivirus/malware protections should be purchased and made
available to all employees. This will reduce the temptation to use personal
drives. While flash drives with encryption and built in virus/malware
protection are sold today at a small premium over consumer products, the cost
will continue to fall as onboard encryption become the standard. All forms of portable
storage should be addressed and similar policies can be easily extended to USB
hard drives, although their use should be on an as needed basis rather than a
drive for everyone.
The need for written policies, even in informal
organizations was mentioned earlier. The key here is follow awareness education
and acknowledgement. The policies must be circulated to all employees and a
brief training session can be developed to introduce the policies and obtain
employee sign off that they have received and understood the policies and their
purpose. This may prevent legal challenges in the future.
Conclusion
Micro
businesses have a unique set of challenges when it comes to managing any part
of their Information Technology environment, especially in terms of security.
They do not have the luxury of having dedicated staff and employees must assume
multiple functions for the business to succeed. In the case of the non-employer
Entrepreneur, they assume all the roles. Technology skills may not be anyone’s
strong suit.
Removable
storage is inexpensive and very portable, getting smaller (physically) and
increasing data capacity almost daily. With the rise in data leakage, business
owners must be more aware of the dangers potential legal consequences of
ignoring the risk.
Establishing and communicating a strong usage policy and
providing company resources in the form of business level USB drives and
mitigate the risk. Periodic review and refresh session should be conducted at
least annual and new employees must at least read and sign an acknowledgement
of the policy as part of their employee orientation.
Bibliography
Aitoro, J. R. (2009, January 29). Tougher security
standards coming for removable storage devices. Retrieved from nextgov:
http://www.nextgov.com/nextgov/ng_20090129_9364.php
Barnes, D. (2003, September 16). Portable Computing
Device Security. Retrieved from First Base Technolgies:
http://www.fbtechies.co.uk/Content/Extras/Resources/WP-PortableComputingDeviceSecurity.pdf
*Bliss, D. (2003). Security for the Small Business-
At What Cost. Retrieved from GIAC Practical Repository:
http://www.giac.org/certified_professionals/practicals/GSEC/2947.php
Gartner, Inc. (2006). Top Five Steps to Prevent
Data Loss and Information Leaks. Gartner, Inc.
Harris, S. (2006, July 13). How to Create
guidelines for using removable storage devices. Retrieved from
SearchSecurity.com:
\http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1214188_mem1,00.html
*Patricia Mayer Milligan, P. a. (2008). Business Risks
and Security Assessment for Mobile Devices. Information Systems Control
Journal , 1-5.
Russel, C. (2002, October 25). Security Awareness -
Implementing an Effective. Retrieved from SANS Reading Room.
*SanDisk Corporation. (2008). Plugging the
Leaks:Best Practices in Endpoint Security.
*Symantec Corporation. (2009). Symantec Global
Internet Security Threat Report Trends for 2008, Volume XIV. Symantec Corporation.
US Census Bureau. (2003). Statistics about Business
Size (including Small Business).