IBM is reported to be banning employees from using USB sticks and memory cards – or indeed any removable portable storage devices – for transferring data.
The Register says that IBM global Chief Information Security Officer Shamla Naidoo has advised employees that the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).”
The motivation is pretty straightforward – as the CISO says, “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.”
There’s been a bit of noise online about the problems this might cause for field engineers and customer facing support, but it’s easy to see why IBM – and others – might take a hard line on use of portable storage.
It’s likely the security team has been reviewing its risk assessments in the run up to the implementation of GDPR on 25th May and they have gone into the detail of what measures the organisation is taking to ensure protection of personal data.
With over 350,000 employees worldwide, someone might have done a ‘back of the envelope’ calculation as to how many memory sticks might be in use and how much data might be on them.
In an organisation the size of IBM, they will certainly have had instances of lost storage devices – whether reported or not. They may also have been the victim of malicious intent facilitated by those handy little memory sticks.
The point for Data Protection Officers everywhere is that if a company like IBM – a technology company that probably has much better systems and security than yours – decides that a blanket ban on portable storage is required to mitigate the risk of their loss or misuse, maybe you should consider doing the same.
As the capacities of memory sticks have increased dramatically over the years, it’s easy to see how simple carelessness or a rogue employee could mean the loss of huge amounts of data – and unless it turns up in the public domain, the organisation may not even know about it.
If it did turn up in the public domain – and it contained personal data – imagine the conversation you would have with the Data Protection Authority in your jurisdiction while you explained an unreported data breach and the measures you have in place to secure the personal data you control…
It might transpire that IBM’s ‘blanket ban’ on the use of portable storage devices will simply be a policy that is more honoured in the breach than the observance, but food for thought as you do your own risk assessments and review of the security measures your organisation has in place to protect the personal data you are responsible for!
the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.Shamla Naidoo
Do you have a policy on portable storage?
Let us know in the comments below what your company has done to mitigate the risks associated with the use of portable storage devices.