No Policies? No Results

Writing policies for mobile and portable storage devices may seem like an exercise in futility, but without them, there's no law in town

In America's old West of the late 1800s, there were no laws. Folks did what they could with a gun and a rope, but in a territory so large, with so few sheriffs, there just was no good way to enforce them.

It was a great place to spin a yarn, but I wouldn't want to live there. Because without laws and policies, things would be, well, a lot like today's wireless and portable storage environments.

Yesterday, we published the results of our reader survey on mobile and portable security, and the results were both surprising and exasperating. (See No Wires & No Policies.) One of the key findings is that nearly half of enterprises still don't have a security policy for using portable storage devices. About one third of readers don't have a clearly-stated policy for the use of mobile and wireless devices.

To be fair, there are some pretty good rationalizations for not developing such policies. Many readers told us that their upper management still does not recognize the threat posed by these devices, and thus they have no budget for policy development. Others pointed out that such policies are difficult to enforce because of the lack of good tools for monitoring end user behavior and/or blocking unauthorized activities.

These are good points, but in the end, they're still rationalizations. If your organization doesn't have a policy for the use of mobile and portable storage devices, it needs to create one.

Without policies, your organization operates a bit like the old West. With no guidelines, users are free to use whatever products they can find out there, buying equipment and media that may introduce vulnerabilities to your entire IT environment. Like gunslingers, they are free to engage in any sort of behavior they want, because there aren't any rules. It's Tombstone, Ariz. in 1881, and they're the Earps.

If you have a policy in place, however, most employees will follow it, even if there's no sheriff around to enforce it. A simple list of approved devices, services, and media is a good start, along with some guidelines on how to use them -- and how not to. This sort of rule set doesn't take 100 man-years to develop -- just a few hours and a good email system might be enough to reduce your mobile and portable risks significantly.

It's true that such guidelines can be difficult to enforce, largely because tools for monitoring and access restriction are still emerging. But with technologies such as SecureWave's products for tracking and encrypting data on USB storage devices, it is possible to come up with a working solution. And vendors can't develop such tools if they don't know what customer policies are in place. If there are no rules, no sheriff can help.

The challenges of securing mobile and portable devices are numerous, and in many cases, today's technology may not be up to the task. But throwing up your hands and saying "forget it" isn't going to help the situation. Setting boundaries is the first step in creating a secure mobile environment. If you don't, you shouldn't be surprised to see your users take the law into their own hands.

— Tim Wilson, Site Editor, Dark Reading