An old information security topic is suddenly hot again after news broke this week that IBM is banning all employees from using removable storage devices.
The Register reports:
"In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company 'is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).' The advisory stated some pockets of IBM have had this policy for a while, but 'over the next few weeks we are implementing this policy worldwide.'"
Should your organization ban USBs and other removable storage devices?
I've interviewed plenty of CISOs over the years, and I still remember one, from a credit reporting agency, who had this policy in place long ago. He couldn't even bring a USB with his presentation on it to the cybersecurity conference. There were zero exceptions, even for him.
Perhaps your organization has discussed this before, but it may be worth revisiting this policy. Both the times and the technology have changed.
Slavik Markovich, CEO and Co-Founder at Demisto—a provider of security automation, orchestration, and response—puts it like this:
“There is a fine balance between usability and security that CISOs should treat very carefully. This is a fantastic step for security because USB drives are hard to track, can hold large amounts of sensitive data, and usually are not encrypted which means if the drive is lost/stolen, then that data is in bad hands easily," he says.
"When compared to online data storage solutions which usually have tighter security controls it’s easy to see the appeal. This is true only if the right digital security measures are already in place which is usually the case as most organizations already hold a lot of other sensitive data online. With today’s plethora of online tools and controls, I believe the balance has finally shifted and usability does not suffer much by banning USB drives.”
IBM's reasoning for the move is to limit the risk of representational or financial harm that comes with the easy removal of information these devices provide.
The FDIC learned about that the hard way, in a case that revealed the FDIC insures bank accounts but not your privacy or security.
One thing is for sure after this week's internal memo leaked to the world: The move by IBM's CISO has resurrected the debate about what's reasonable, what works, and how this aspect of security should look.