IBM bans staff using removable storage devices

Staff at IBM have been banned from using removable storage devices, including USB sticks.

Shamla Naidoo, IBM’s global chief information security officer, has said that the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g. USB, SD card, flash drive).”

The rule has been put in place due to the “financial and reputational” damage they fear could occur if an employee was to lose or misuse the data. Staff will be encouraged to transfer data via an internal network instead of using the removable devices.

It has been reported that some departments had been banned from using these sorts of devices for some time, but all staff are expected to follow the new protocol by the end of May.

So, are USB sticks a potential threat to all organisations?

A study by Apricon found that 87% of people surveyed had either lost or had a USB stick stolen and didn’t notify their employer. It also revealed that 80% of people used unencrypted USB drives.

There are two major issues with this. First, all mobile devices containing sensitive data should be encrypted. Organisations should be putting policies in place to ensure that their data is protected if the worst-case scenario was to occur.

Secondly, if data is lost it should be reported immediately. With the GDPR now in effect, an organisation needs to know what data may have been lost in order to notify the relevant persons, and in certain cases, report it to ICO.

IBM has decided that these removable devices pose too much of a risk, but this may not be the case for everyone else.

While it’s important to prepare for the threats your organisation may face, you can easily waste time and resources preparing for ones that are unlikely to occur.

A cyber security risk assessment will identify, analyse and evaluate the risks that are relevant to your organisation, and propose remedies to mitigate these. A risk estimation and evaluation is performed, followed by selecting controls to treat the identified risks.

To find out more about our cyber security risk assessment service, speak to one of our experts >>