Opinion: iPod therefore iCan steal
Warning: MP3s Could Seriously Damage Your Reputation
By Martin Allen, Pointsec Mobile Technologies | Published: 15:00, 03 February 2006
So you’re in love with your MP3, you go jogging with it, you sleep with it and you listen to it on the way to work! This year the work place has become flooded with them as the cheapest MP3s are now sold for as little as £20 storing around 256MB of data. At the top end of the market, digital jukeboxes with storage of 20GB start at under £150 while a 60GB Apple iPod Video player can be had for just £300. That is the same storage capacity as a lot of corporate notebooks.
What makes this market a little dangerous for companies and dangerous for your health, is the fact that there has never been so many sold with such large capacities, creating a real headache as to how you can manage them within the workplace.
While these devices are aimed at a consumer market, there has already been an increase in their use within the corporate environment and this is set to increase as more people recognise that they as they are ideal for listening to corporate presentations on the move. Others might use them to listen to audio books or even watch training courses. In meetings, the MP3 player has already replaced the mini tape recorder due to battery life, capacity, ease of file storage/sharing and cost.
Consumers want to use these devices on their corporate networks today to download content. While there are figures showing that some of this content is illegal, there has been a big move towards legal content. One of the drivers of this has been the strengthening of the audio book market. Whereas, just a few years ago it was novels or self-help books that dominated the audio space, now there is a huge array of general business books on the market. This market is also being targeted by educational publishers who are moving their existing content into a new market. For these publishers, getting users to play “skills enhancement” books on MP3 players is as much a B2B as a B2C play.
Pods, Podcasting and video iPods
Then there is the big emerging market of the year – Podcasting. In the same way that the DVD recorder and Sky+ box have revolutionised the way we handle the time-shifted world of television, Podcasting is doing the same for audio and it seems everyone is doing it. In the UK, the most popular Podcast is the BBC Radio 1 breakfast show. Unsurprisingly, it is most often downloaded during the day, probably by people who missed it while travelling into work.
It is not just audio that is driving the Podcasting market. The BBC and several other channels have committed to putting their TV programs out via broadband. They are also allowing them to be downloaded from websites. As this requires a reasonable bandwidth to get several programs, it is not unreasonable to expect that this will often be done at work.
The mobile video market has no doubt been helped substantially by the entrance of Apple with a video iPod. However, there are numerous other vendors, such as Archos, that have had high capacity video jukebox players for a number of years now. The storage in these devices is set to soar with the introduction of new perpendicular disk drives. We are already seeing the first 160GB disk drives and they will only get bigger.
While this is ideal for very high quality video it also poses a massive and significant risk to corporate data. The capacities at this high end equate to a laptop drive. This means that vast amounts of corporate data can be removed on a small consumer device that sits in the pocket.
Introducing measures to prevent such devices from connecting to corporate resources are failing. As fast as vendors bring out software to identify and block the devices, device manufacturers and software companies are releasing utilities to hide the devices from network administrators. A common approach now is to just report them as removable CD players. This allows them to avoid many of the restrictive practices introduced by the network administrators.
The goal, then, is not to exhaust resources trying to ban the devices, but find a way to encompass their existence within the corporate data security policy.
One of the first problems is that devices are likely to have content put on them at different locations. There are no anti-virus, anti-spyware programs for the majority of these devices although software to protect Smartphone’s is beginning to appear. With multiple connection points for the mobile device, corporate desktops and laptops MUST be updated with the relevant software.
As the capacities increase, another measure, if these devices are to be tolerated, is to introduce transfer quotas. These allow you to restrict the amount of data that can be moved to an individual device. While this will not prevent data being taken out of the building it will restrict the quantity that can be taken at any one time.
A major problem with consumer devices is that they are not looked after carefully and attract thieves. This is where companies can take a very positive step to protect data. There are products that insist on encrypting data as it is being moved onto portable devices.
One advantage of this approach is that should the device be stolen, the data is protected. Another is that the larger capacity devices can be utilised as pseudo backup devices for mobile workers while keeping the data secure.
Hints and tips
Although tremendously useful, removable media devices, due to their small size, guises and uses, can be a serious security threat to any organisation. Here are a few hints and tips on balancing the benefits of these devices against the risks they pose:
- Step One – Security Policy - Removable media devices are not toys. Decide how you as a company want to manage them. It would be naïve to think you could simply ban all removable media; however, you should introduce removable media into your Security Policy and make sure that everyone on your staff reads and signs the policy. Also, explain to your staff what actions will be taken if the policy is ignored. Therefore having a clear security policy that every employer has to read is essential.
- Step Two – Education - Inform your employees about security and its implications. Explain why certain controls have to be put in place. Don’t just impose those controls or users will ignore them.
- Step Three – Encryption - Consider employing a mobile data protection product. Make sure you use a policy controlled software that encrypts data transferred to all external storage devices. Mandatory media encryption solutions are available that can be centrally controlled by the IT department. The best products are fast and transparent to the user, so as to not interfere with their real-time work. Such protection automatically encrypts all information loaded onto a USB token or other removable media. Access is granted only to the user who holds the password.
- Step Four – Control - Implement device and executable control solutions that enable you to control exactly what devices can be connected to a system and what executable files can and cannot be run. At the same time make sure you have effective protection against Trojans and other harmful software.
- Step Five – Audit and Measure - Ensure that you carry out regular audits to find out who is using removable media.
In today’s complex digital world, nothing about security can be guaranteed. But by following these few simple steps, you can mitigate your risk and show that you have taken adequate steps to do everything you can to protect the information that is being carried around on removable media devices. Once you do, you’ll be able to sleep at night, safe in the knowledge that your company is not the next in line for public humiliation in the tabloids for allowing a leak of valuable information.