Security Risk: USB Drives
Today's digital environment presents significant risk as well as rewards.
One area in which many firms and their clients are at high risk is withthe use of small, inexpensive USB drives that have the capability toquickly copy, back up, transfer or store data. There are severalreasons your firm should assess the risk and develop the policies andprocedures necessary to reduce or manage that risk. The cost of doingthis depends upon your firm's tolerance for risk. Based upon what somefirms are doing, it appears that their tolerance for risk is extremelyhigh. Perhaps this is due to lack of knowledge, or simply to the factthat no one is responsible for risk management in their firm. Toooften, everyone is responsible and no one is accountable.
The following scenario is pretty common - most people haveone or more USB or "thumb drives" on which they back up, transfer orstore client data. Vendors often provide these devices for free attrade shows, and they are very inexpensive and available in stores andonline. Some of the data placed on these devices may not be sensitive,but often data that comes under state, national or internationalsecurity and data privacy laws resides on these devices. Most stateshave security breach laws requiring businesses to notify customers orclients of breaches of the security, confidentiality or integrity ofunencrypted data held by the firm or business.
If these rules and regulations don't inspire your firm into action, then there are other reasons:
* More sophisticated clients are now asking firms about their data security and privacy policies.
* Firms want to protect their digital assets. Employees andpartners have been known to download client files before leaving thefirm.
The cost of protecting the firm has a direct correlation to the firm's tolerance for risk. The basic levels are:
* Ignore the risk.
* Encrypt data and approve appropriate policies.
* Encrypt and manage the portable devices with policies and enforcement.
This is a firm problem and not an IT problem. The ITdepartment will play a role, but firm leadership and management areresponsible for approval and enforcement of the policies. If asophisticated solution is provided, the IT department can utilizetechnology to assist with enforcement.
Some of the common solutions that firms are using forencryption come from leading vendors such as CMS, Kingston and IronKey.All vendors provide drives of different sizes and encryption software.A quick Web search will provide the technical details. Some of thefeatures you should consider are:
* Ease of use (always on, no need for drives or software installation);
* Anti-malware protection;
* Centralized remote administration of devices;
* Remote destruction capability;
* Enforcement of firm policies such as password length and strength;
* Public key infrastructure and digital certificates;
* A high-speed, reliable platform for virtual machines; and,
* RSA SecurID.
I suggest the following action steps to adress the issue of USB storage devices in your firm:
1. Identify the person in charge of risk management in your firm.
2. Assess the level of risk and the tolerance for risk in your firm.
3. Develop and approve an appropriate policy to manage the risk.
4. Select a vendor and encryption methodology that willallow your firm to comply both with your own policy and with anyapplicable laws.
5. Educate your employees.
Yes, it does cost more to implement devices, encryption andpolicies that provide maximum protection. However, most firms find thatthe cost is much less and the systems easier to manage than ignoringthe problem until a breach occurs and you have to notify clients. Yourfirm's strategy may also be integrated with other mobile devices suchas notebook computers and PDAs.
A few dollars spent on prevention will save thousands of dollars in notification and damage to your brand when a breach occurs.
Gary Boomer, CPA, is the president of Boomer Consulting, in Manhattan, Kan.
(c) 2009 Accounting Today and SourceMedia, Inc. All Rights Reserved.