The proliferation of small portable media and storage devices has changed the security threat facing most organisations today.  Perimeter security mechanisms have largely addressed the risks associated with external attacks or internet and email connections being used to transport unauthorised content into and out of the enterprise – but these technologies have no ability to stop such transactions at the desktop or laptop.  No version of Windows allows any control over internal or external storage devices.  A further threat is the loss of valuable data legitimately held on a storage device through theft or accidents.

Specifically, organizations need to ask themselves if it is time to:

• Limit the use of portable data storage media and devices except with specific authority
• Prevent MP3 Players being connected to PCs
• Restrict the connection of personal PDAs to company-owned computers
• Block the connection of mobile phones and cameras to corporate PCs
• Limit the capacity of data storage devices issued by the organisation
• Amend definitions of ‘misconduct’ within appropriate HR policies to reflect the new issues facing organisations as a result of these lifestyle devices

The risks posed by these new threats

Loss of Confidential Information

The unauthorised release of confidential information can present huge problems for businesses ranging from a loss of competitive advantage to a loss of reputation or brand damage or even to court actions. Industrial espionage is increasing generally. The most common example occurs when employees move jobs and involve themselves in taking material (including trade secrets and customer database) from their current employer to their new employer.

Intellectual Property Rights Infringement

The vast majority of content accessed by employees, whether it is held locally or on the internet, is subject to some form of intellectual property or copyright law. The employer should guard against the unauthorised transfer of such content to and from their networks, as they lay themselves open to a significant risk of prosecution by a third party laying claim to the copyright.

Corruption of Data and Systems

While most organisations have taken steps to protect themselves from the number one method of virus propagation – email and internet downloads – many are still susceptible to malicious code being introduced directly through a PC on the network from a device used on an unsecured home computer. 

Vicarious liability

Put simply, vicarious liability means that an employer can be held responsible for negligent acts by its employees – regardless of whether their actions were specifically authorized by the employer.  This means that, in addition to data loss or threat introduction, employers face a significant risk if their networks are used to transfer inappropriate content. 

Breach of Privacy / Data Protection laws

With increasingly strict data protection laws now in place, lack of control over what information leaves and enters the network can lead to investigation by industry watchdogs, and even prosecution for company directors.