CALIFORNIA UNSUPERVISED IPOD USAGE CAN CAUSE A SERIOUS DATA SECURITY RISK IN WORKPLACE Article - Money - Ban iPods at work?:
Tuesday, February 13, 2007
Ban iPods at work?
Storage devices like music players could be carrying your company's secrets. Experts offer ideas to prevent data theft.
You're unlikely to visualize a colleague in a nearby cubicle or the executive suite. Or, maybe even less likely, it's tough to see that thief as the co-worker pretending to listen to music at work but instead downloading company secrets from acomputer to an iPod.
Thieves using computers rake in more than $100 billion a year, according to an estimate from the U.S. Treasury Department's Office of Technical Assistance. And about 70 percent of computerizedtheft at corporations involves insiders – a third of that by senior management, according to the Gartner research firm.
VIDEO: Experts offer 7 security tips
Those are educated guesses, at best, but the stakes are undeniably high, especially for innovative companies that live or die on the value of their intellectual property.
So, even as companies stress the importance of teamwork, it's important for them to know the latest methods that self-serving and malicious employees can use to steal company data – and keep up on the latest methods for fighting back.
For example, banning iPods and MP3 music players, which are actually portable hard drives that can hold as much as 80GB of data.
"What is remarkable about this is that the theft can be done wirelessly, or it can be done through plugging of an iPod into a USB port," says Mark Romeo, a partner at the Pillsbury Winthrop Shaw Pittman law firm in Costa Mesa who specializes in protection of trade secrets. "To the company, it just looks as though you're listening to your iPod at work. They would have no idea that you're downloading 100MB of data every two minutes."
"For a small- to medium-sized company," he adds, "you could download essentially every Word, Excel or PDF file within a very short period of time."
It's for that reason he advocates barring iPods for certain workers.
"That might be a little bit over the top, but depending on whether a person has access to a company's highest level of trade secrets, it may not be a bad idea," Romeo says.
HIDDEN PROBLEM
How often such thefts happen is impossible to know. When computerized consumer data fall into an outsider's hands, California law requires the company to inform people that it happened. In contrast, when a disgruntled employee steals secrets and takes them to a competitor, a company is likely to threaten to sue and then settle out of court to cut costs and avoid publicity.
"Security breaks occur on a daily basis – someone has access that they're not supposed to," says Jack Bicer, president of the local TechBiz Connection and a technology consultant through his firm, Septium Corp. of Irvine. "But is there damage? Most times not."
But iPods were used in computer-theft cases last year in San Francisco and Mumbai, India. In the California case, police reported finding electronic copies of tax returns, credit files and loan applications on the iPod of a man arrested for receiving stolen computers. In India, an employee of a chemical company reportedly filled his iPod with data and sold it to a second firm, which apparently used the data to submit a bid that won by edging out the competition.
"Most companies don't know to look for this type of theft," says Romeo, who calls the practice "iPod slurping."
"You think of the traditional theft of trade secrets occurring on a CD or DVD," he says. "Someone walks out the door after they've been terminated or they quit, and you catch them with a CD full of data. Now you're going to see cases of people walking out with an iPod around their neck. Security is not going to think anything of it … until your competitor has your trade secrets."
POSSIBLE REMEDIES
What can a company do? Many countermeasures exist for companies to choose from:
- Confidentiality statements that employees must sign – "the most basic step one can take," Romeo says.
- Password-protected access to computer data, also pretty basic. Romeo suggests using SecureWave software, which allows system administrators to control who has access to which data.
- Making a copy of each departing employee's hard drive. If suspicions later arise, the copy can be scrutinized by forensic experts for signs of any illicit copying.
- Software that monitors or even blocks USB ports, such as DeviceLock or Desktop Authority.
"While that might be little too Big Brother-ish for certain companies with certain kinds of data, it may be necessary to go to that extreme to ensure that people aren't using USB drives, iPods and MP3s for illicit purposes," Romeo says.
Such controls should be paired with limits on Web surfing, Bicer says, because restrictions on downloads without limits on Internet access wouldn't be enough to deter thieves.
"I don't need a device. I can upload data to an FTP site or wherever I have storage space," he says.
Bicer also recommends that companies pay close attention to what could happen if an employee doesn't intend to steal company data, but loses it, such as in a misplaced thumb drive or astolen laptop.
He recommends options such as:
- Password-protected USB drives.
- Encryption software such as TrueCrypt or PGP Whole Disk Encryption that puts a laptop's data into an "electronic safe," where it appears to outsiders as one big unreadable file. A similar program that he recommends is Password Safe, open-source software that encrypts a file containing all of a person's various passwords. It's available at passwordsafe .sourceforge.net.
- New laptops with fingerprint recognition or similar thumbprint recognition devices, which can be purchased at office-supply stores.
- Software, such as that made by GTB Technologiesof Newport Beach, that labels company files with a sort of digital watermark, so attempts to move it to another computer can be blocked.
Bicer advises companies not to go overboard on security spending.
"You can invest a lot of money in security. The question is, 'What are you getting back for that?' " he says. A level approaching 100 percent security will cost 10 times more than 80 percent security, he says. But is that additional spending justified?
"There isn't 100 percent security, anyway."
Posts
No comments:
Post a Comment