Security Experts Commend IBM’s Ban on Flash Drives

Remote worker connectivity could be a snag, however

Roy Maurer By Roy Maurer July 3, 2018
Security Experts Commend IBM’s Ban on Flash Drives

​Data security experts applauded IBM's recent decision to prohibit its employees from using removable data storage devices in the workplace but caution that the policy may not be right for everyone.

IBM global chief information security officer Shamla Naidoo informed staff in May that they would no longer be able to use USB flash drives or other portable data storage devices, in an effort to minimize "possible financial or reputational damage" if the data was lost or misused, according to The Register, a technology news site based in London. The company advisory stated that the policy would be in effect worldwide by the end of June and acknowledged that the move may be disruptive for some.

IBM wants its workforce to use the cloud to store and transfer data—more specifically, its own internal file sync and share service—instead of portable devices.

"We regularly review and enhance our security standards and practices to protect both IBM and our clients in an increasingly complex threat environment," IBM said in a statement.

Banning flash drives can also help IBM reduce the risk of employees' stealing or selling intellectual property, as well as make its environment more secure against cybertheft.

"IBM doesn't want to get hacked," said Stu Sjouwerman, the founder and CEO of KnowBe4, a security awareness and training company in Tampa, Fla. "It doesn't want to wind up on the front page of The Wall Street Journal in a story about their customer database being available on the dark web."

[SHRM members-only online discussion platform: SHRM Connect]

Research consistently shows that most cyberbreaches are caused by employee negligence. USB drives are easily lost or stolen, compromising company data, or used to introduce malware and viruses to the organization's network.

Sjouwerman said that cybercriminals have been known to drop USB drives labeled "Q4 layoffs," or "Q3 promotions" around office complexes and in the reception area, public restrooms and the parking lot to tempt curious employees to plug them into their computers and open the files inside.

"Those are the types of things that are practically irresistible to people," he said. "And once a bad guy infects your network through a USB drive, you're done. They own your network. You can get locked up with ransomware. They can steal valuable intellectual property."

Both Sjouwerman and Bruce Beam, director of infrastructure and security for ISC², an international nonprofit cybersecurity association in Clearwater, Fla., praised IBM for going farther than any other company they know of to remove the risk of USB drives.

"This kind of corporate policy is not prevalent at all," Beam said. "I've never seen a complete removal of all portable media, with the exception of the federal government. I've seen companies move toward only allowing certain devices sanctioned by the company to be inserted, but this is going the extra step."

However, he said, IBM employees may encounter problems implementing the plan, including not being able to get to all of their data or hamstringing remote or traveling employees.

"You have to figure out some way to transfer data, which can be a challenge for workers who may not have the needed connectivity," Beam said. "IBM is talking about hooking up to wireless with 4G LTE sticks, but that could still be problematic depending on where remote staff works."

He added that companies can use media-sharing solutions like Dropbox, which can be helpful, but "again connectivity is the limiting factor."

There's also the issue of getting staff to change their workplace habits. And even with a ban on USB drives, protection isn't guaranteed. Laptops can still be lost or stolen, and nefarious employees can still steal data. 

"It really depends on the organization whether this is right for them," Sjouwerman said. "The far more common measure to prevent network infection is to simply disable the USB port in the active directory domain. That way, no one is able to transfer any data."



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.