Avoid the Memory Card Menace

The risks in removable media

Everyone is familiar with the humble floppy disk. For many people, it is the main way to transfer data between computers. My wife still uses floppies to transport the plays she writes to different theatres. But in comparison to the latest technology, a floppy disk is so primitive it might as well be a stone tablet. People's perception of risk hasn't caught up with what is now possible.

For example, you can store 512MB in a secure digital card the size of a postage stamp. This is the equivalent of 364 floppy disks or an encyclopaedia or (more worryingly) a complete customer database plus a copy of all your company's correspondence. Pen drives, MP3 players, digital camera memory cards, removable hard disks, CD and DVD writers all allow staggering amounts of data to be transferred quickly and easily. And you might not even know it's happened. Even if the data is being transferred for legitimate reasons, the loss or theft of the portable device that carries it is still a risk.

A recent survey found that such removable media were used on 85% of business networks, with many employees using them to transfer work between home and office PCs. However, a vast majority of firms had no policies to prevent or manage the use of removable media. A few organisations, such as the RAF, have very strict policies and enforce them with all the rigour that military discipline can impose.

The sponsors of the survey, Reflex Magnetics, have developed software that can control users' ability to copy data to removable devices. However, there are things that a small business can do without spending a lot of money or getting the RAF to frisk your employees.

Removing the Risk of Removable Media

'The very first thing they need to do is a bit of risk analysis,' says Andy Campbell, MD of Reflex Magnetics. They should 'look at their business critically - what are we storing on the network, what access do we give, do we want that data easily transported out of the office?'

•	The key step is to control access to data. Make sure that you have a strict password policy and restrict access to workstations so you can prevent unauthorised access to data
•	Compartmentalise data on the server. Does everyone need full access to the customer database or accounts? Are there ways you can make it difficult to copy whole chunks of data - perhaps you can give staff access to one client account at a time through a web browser?
•	Have clear policies about what employees can do with confidential or business-critical data. Educate the workforce
•	Encrypt corporate data removed from the network
•	Consider banning digital cameras, MP3 players and other devices that could be used to transfer data
•	Consider disabling USB ports, removing CD-R drives, floppies, printers and other devices with card readers

Where next

•	See our security area for general advice and information.
•	Discover the three basic steps to help ensure your PC is protected.