Device Threat

0

Downloading files onto iPods almost always involves music. But with 20 to 40 gigabytes of storage capacity, what’s to stop someone from downloading sensitive company files and taking them out of the office?


In a move that captures the challenge of maintaining security in a digital age, a growing number of companies, including a few of Boeing Co.’s Southern California offices, are banning digital music players, portable memory sticks and camera cell phones.


“In some of our facilities where we do sensitive business like integrated defense programs and aircraft programs we don’t allow things that can carry storage devices,” said Kelly Donaghy, security spokeswoman for Boeing.


Employees are told to drop them off before they enter the building, or leave them in their cars. “The people who work in those buildings, they know the rules,” she said.


An example of the new rules: A vice president of business development for GuardianEdge Technologies Inc. was stopped at the front gate of a large consumer electronics maker and told to declare if he had an iPod, a camera phone or a PDA. The devices were put in plastic bags and tagged. When he exited the building, he had to prove that the bags remained unopened in his pocket throughout the visit.


“They had a no-tolerance sort of policy,” said Steven Lerner-Wright, a spokesman for GuardianEdge, a Silicon Valley information security consultant, who was told of the incident but declined to identify the company.


GuardianEdge helps companies protect against data theft, usually by installing encryption software. But occasionally, Lerner-Wright admits, companies choose to ban devices rather than change the way they protect their data.



Ready availability


Part of the reason is that technology is developing faster than company security policies. Just a couple of years ago, memory sticks small, removable hard drives that can be plugged into computers weren’t on key chains, phones didn’t have cameras in them, and portable CD players didn’t have hard drives.


“The iPod exploded so quickly I don’t think everybody thought of it as generic portable storage,” said Lerner-Wright. “Companies are only now trying to come to grips with the ready availability of these devices.” Apple officials declined to comment, as they have throughout the security controversy over the iPod.


The furor started last fall when the research firm Gartner Inc. released a report pointing out the risks that employees’ portable devices pose to corporations. These products, the report concluded, “have the capacity to quickly download much valuable corporate information, which can be leaked to the outside world.”


Analyst Ruggero Contu, author of the report, recommended banning these devices from company premises, disabling the USB ports on computers, or simply forbidding employees and external contractors from using personal devices with corporate PCs.


“No one can deny that they’re fantastic,” Contu said in an interview. “It’s such a small and light item and can store so much.”


Contu didn’t want to single out the iPod, because memory sticks and Palm Pilots have similar capabilities. But there are 20 million users of the super-popular iPod.


“Apple was very upset with us,” said Vic Wheatman, another technology analyst at Gartner. By lumping the popular iPod with hard drives and data storage devices, the report touched a nerve with consumers and businesses that hadn’t looked at the white ear buds as anything more than a fashion statement.


“The fact that these devices are so capable certainly increases the risk,” Wheatman added. “Just 100 bytes of the right information is going to be important. Just think, corporate drawings, secret formulas, plans for the next-generation missile system those things have a great deal of competitive value.”


The aerospace industry appears to be taking the lead in restricting iPod-like devices, while policies on devices haven’t been clearly established in other industries yet.


Occidental Petroleum Corp. spokeswoman Jan Sieving said that the company has a security policy, but that it doesn’t involve iPods or camera phones.


Wells Fargo & Co.’s policy prohibits employees from using any type of equipment to copy or send unauthorized information. “Our policy doesn’t go that specific, to the type of device,” said spokeswoman Jennifer Langan. “We just say equipment cannot be engaged in this type of behavior.”


Chuck Freadhoff, spokesman for the American Funds, a unit of Capital Group Cos., said “we certainly don’t ban iPods mine’s in my bag.” But at the fund’s service centers, where employees have access to customer financial data, it’s a different story. Personal devices, such as USB key-chain drives or iPods, are not allowed to plug into company computers. Personal cell phones, which may be equipped with digital cameras or memory cards, are to be used outside the building.


“We have very strict controls to make sure that all shareholder records are secure and not shared,” Freadhoff said.



‘Everything’s digital’


Some industries with tech-savvy employees face an uphill battle. “It’s been talked about,” said Craig Mitchell, a spokesman for Calabasas-based video game maker THQ Inc. “But it’s not something we have to take a class on.”


Mitchell’s phone has a digital camera and his iPod is in his bag. As with most creative tech companies, employees sign a non-disclosure agreement, he said, and it is generally “frowned upon” to use those devices on a company computer.


“An iPod is just like any other storage device,” said Bob Finlayson, head of corporate communications for THQ. “I don’t see why you’d ban it specifically. In our world, everything is digital.”


Thousand Oaks-based biotech giant Amgen Inc.’s Web site notes that personal health information is “kept physically behind firewalls that meet or exceed industry standards.” But that doesn’t cover people inside the firewall who happen to have iPods or memory sticks.


“I would bet that most companies in the pharmaceutical industry would prohibit unauthorized use of cameras,” said Jon Martino, manager of investigations for Amgen and chair of the American Society for Industrial Security’s pharmaceutical industry advisory group. “Obviously the technology has stepped up with the use of camera phones and iPods. These are things that each company has to individually look at and decide.” He declined to comment on Amgen’s security policy.


Security experts say that company policies must evolve as devices become smaller, cheaper and more popular. “You may soon see brokers being told not to bring iPods to work,” said Lerner-Wright.


But he insists that it’s better to focus on the data, not the device, because devices are constantly changing. “It’s about looking to solutions that will automatically encrypt data when it’s exported, or technology that will scan whatever device you’re attaching to the port and can say, ‘This device does not have the proper credentials,'” he said.

No posts to display