Until proper security policies and enforcement are in place, the use of iPods in the workplace could mean employees walking out the door with a pocket full of sensitive data and thus should be banned, according to security firm NextSentry.
Employee use of removable storage devices such as memory sticks and CDs to extract company data has been on the rise since the company launched in June, it said in a release. NextSentry predicts that the use of iPods is quickly becoming “the methodology of choice for employees with legitimate access credentials to download confidential customer data and intellectual property for profit or personal gain,” according to the release.
NextSentry is calling such data theft “pocket fraud,” a term it has submitted for trademark. As far as nomenclature goes, the illicit download of confidential data onto an iPod or other portable data storage device has become known as Pod slurping.
As portable storage devices shrink in size and gain in storage capacity, they pose an ever greater risk to organizations. Third-party security products have emerged to address this threat. For example, Safend markets an auditor that keeps an eye on every port in an enterprise, from USB to WiFi and Bluetooth. Another Safend product allows the definition and enforcement of security policies to control how ports and devices are accessed. DeviceLock is in the same space, as is SecureWave.
Also, operating systems have started to pick up the ability to let USB ports be disabled altogether. For its part, in Windows XP SP2, Microsoft addressed the issue by introducing the ability to control block storage devices on USB buses.
Banning the popular devices would be an unpopular move. Employers themselves are using iPods for convenient employee training. NextSentry’s release referred to an Oct. 25, 2006 Wall Street Journal article that described some examples, such as National Semiconductor spending $2.5 million on video iPods for its 8,500 employees, including those overseas, for training purposes and company announcements.
Still, regardless of the iPod’s popularity, something’s got to be done, according to NextSentry. “With the average Word document averaging 25K to 30K, a 20GB iPod could hold more than 750,000 documents, which NextSentry believes should cause alarm for any company concerned about insider threats,” according to the company’s statement.
NextSentry is marketing a transparent client, the ActiveSentry StealthAgent, to run on employees’ desktops to nab their workers if they improperly download company data.
According to NextSentry’s release, the company doesn’t catch employees misusing e-mail to leak confidential data. More frequently, the company sees employees using tactics such as printing, the Web, instant messaging and traditional mass-storage devices to feed confidential data to the outside world.