May 12, 2018
Staff at IBM have been barred from using detachable memory appliances such as SD cards, USB stick, and flash drives.
The probability of “reputational and financial” damage if staff misused or lost the devices prompted the conclusion,
In its place, IBM staff who need to transfer data around will be helped to do so through an internal network.
In an advisory, Shamla Naidoo, the company’s global chief security officer told IBM staff about the policy.
Some IBM departments had been barred from using detachable moveable media for some time, said Ms. Naidoo, however, now the order was being applied worldwide. IBM staff are expected to stop using detachable appliances by the end of May.
When asked regarding the policy, an IBM spokeswoman said: “We frequently revise and improve our security standards and practices to safeguard both IBM and our customers in an increasingly complicated danger environment.”
Safety expert Kevin Beaumont stated: “It is a courageous move by IBM, as USB appliances present an actual risk – frequently it is very easy to get data from a company through these appliances, and introduce hateful software.”
Nevertheless, he said, IBM may encounter problems applying its plan.
“Technically it’s fairly easy to control access to USB memory sticks, together with controlling what data can be copied to them,”
Mr. Beaumont stated, “Realistically it can be tough as you will find staff who use them for valid business purposes – this will require staff members to change office habits.”
Sumir Karayi, chief executive of Security Company 1E, said IBM’s prohibition was an “overreaction” by safety staff who had not realized the numerous different methods data flowed in and out of a business.
“Avoiding USB is not going to obstruct people from stealing data,” he said. “As for harm, a laptop, a NAS appliance or identifications to an FTP server are simply as easily lost.”
The ban comes just before stringent European laws covering the use of data come into effect.
On 25 May, the GDPR laws are legislated, which levy heavy penalties on businesses that don’t do sufficient to safeguard confidential information.