"Thumb drives are a revolutionary technology because of their small size, large capacity, low cost and universal plug and play. But they also present two primary security problems: they are easily lost or stolen, and they serve as a vector to transmit malware," said Jonathan Gossels, president and CEO of SystemExperts Corp. in Sudbury, Mass.
Storage industry analyst and "Ask Mr. Storage" columnist Curtis Breville agrees and said that thumb drives, which now hold upwards of 64 GB, pose a great danger for data loss, and could be catastrophic even for an SMB.
"There are disclosure laws that state that if you lose any customer information you have to let every one of your shareholders and customers know there was a breach," Breville said. In addition, if you're a small company contracting for a larger company, you are putting that company's reputation in jeopardy if you don't properly secure data stored on thumb drives.
Encryption and policies key to thumb drive security
In some extreme cases, SMBs may be forced to block thumb drive usage through policies that disable USB port access because of the high risk. But more often, experts say a strategic combination of encryption, policies, monitoring and user education can be applied to ensure that only appropriate data is allowed onto the devices and that storage is carried out securely.
To start down this path, companies must first determine the risk level of their data and that will help guide what type of technology to employ. If thumb drives are only going to be used to transfer non-sensitive, non-critical data internally, then run-of-the-mill thumb drives will suffice.
More than likely, though, you'll want to develop granular storage policies based on file type and user role to guarantee that multiple layers of security are being used. For instance, highly regulated industries such as health care and the government have to demonstrate they are using passwords and encryption to store and access sensitive data.
"Not all memory sticks feature encryption, so risk-averse SMBs should purchase and manage their thumb drive fleet rather than allowing users to store data on devices they received free at conferences or bought themselves," said Jeffrey Falcon, senior network security specialist at technology retailer CDW in Vernon Hills, Ill. Some companies, such as IronKey, McAfee and RSA (the security division of EMC), even offer warranties and maintenance contracts for their high-security USB drives.
SMBs that need to guarantee that all data will be encrypted should consider thumb drives that feature hardware-based encryption that is embedded in the thumb drive's controller, such as Imation's Pivot Plus Flash Drive, according to Breville. The controller ensures that a password is required to access the drive and that it will only store encrypted data. The Pivot Plus Flash Drive, which uses 256-bit AES encryption, starts at $12.99 for 1 GB and ranges to 16 GB of storage.
To gain two-factor authentication, companies can employ biometrics. Biometric-enabled thumb drives, such as Kanguru's Bio AES, enable users to secure stored flash data using their fingerprint and a password. "It is a very exciting area. Some drives can store multiple thumbprints and act as security keys for PCs and website log-ins," Breville said. The only drawback: they tend not to support the higher storage capacities. For instance, the Bio AES, which price ranges from $79.95 to $179.95, taps out at 8 GB.
Although they tend to be more enterprise-focused, SMBs can also deploy software to centrally manage their thumb drive fleets. For instance, the Kanguru Remote Management Console and IronKey Enterprise allow IT teams to remotely delete lost or stolen thumb drives, manage passwords and check that drives are in compliance with corporate security mandates.
Centralized management tools can also make sure that devices are scanned for viruses and other malicious code before they are able to access networked PCs.
Backing up thumb drives
IT teams that want to back up and centralize all data that exists on the thumb drives can activate low-cost or built-in USB synchronization software on user PCs. That way, when the thumb drive is accessed, the data is automatically uploaded to the PC and will be part of the company's usual network backup and centralization strategy, Breville said.
Conversely, IT teams can control thumb drive usage through more sophisticated tools, such as Bit9's Parity, which can restrict usage of devices by make, model and serial number. "These tools allow great flexibility in developing policies that can be customized down to the individual's role within the organization," said CDW's Falcon.
For instance, these tools can limit, track and audit what applications and files users can upload or download to a machine based on whether the device they are using is approved. This is a tremendous benefit for companies that want to keep a close eye on contractors who are working with in-house machines. Pricing starts $10 per endpoint.
Users should also realize that thumb drives are not a replacement for network-based storage and that they must still log on regularly to back up their computers to the enterprise.
Finally, users should be reminded how fragile thumb drives are and should be treated with care. "You don't know how often I've seen people with just the lanyard around their neck and they don't know they've lost the thumb drive itself," Breville said.
About this author: Sandra Gittlen is a freelance technology editor in the greater Boston area. She can be reached at firstname.lastname@example.org.