Derek Brink, an analyst at Aberdeen Group, says Columbus is using what he calls an "active/fine-grained" approach, where every sensitive file is encrypted and the city constantly monitors all thumb-drive data transfers. By using the encryption keys, the city is also able to control how the data is accessed once the thumb drives leave the premises.
2. Turkcell approach: Uses classification software from Titus that monitors Microsoft Office business documents and alerts users when they try to copy that data to a thumb drive.
Turkcell is one of the largest wireless carriers in Turkey, with more than 30 million subscribers, 2,800 employees, and about 5,000 computers installed in the corporate office in Istanbul. The company classifies every file and adds encryption when employees use thumb drives, but they also use a unique alerting system to warn users that they are about to copy sensitive data.
Gurkan Paplia, manager of enterprise infrastructure and security, says the company encrypts confidential data transfers to thumb drives. But it also uses Titus Classification for Office because most of the transfers for Microsoft Office files require extra security. (Also, the existing encryption engine they use can lead to false positives, flagging files as confidential when they are not.)
Girard says a default approach for any large company should be to block writing to any thumb drive. If there is a situation where a file must be copied, the employee can call the help desk for authorization based on job requirements and manager approval. That's what Turkcell has automated with the pop-up alerts.
Organizations should use a "least privilege" approach to thumb-drive security, similar to how Turkcell only allows the transfer of Office files, adds Damon Petraglia, a director at Chartstone, a security services company. CIOs should determine whether a department or specific employee really needs to transfer files to a thumb drive; if they do, the company should find a way to allow only certain types of files. In other cases, thumb drives should not even be allowed.
"If an employee does not absolutely need to use USB devices and thumb drives to complete his or her business functions, then these ports or avenues should be disabled," he says. "The only USB ports which should be open are dedicated to only those employees where it is essential to the business function."
3. Cigna approach: Allows employees to copy encrypted data, but they are prompted to type in a reason why they're copying. The reasons are later compared to the actual file transfers.
At Cigna, one of the largest health insurance companies in the U.S., with nearly 20,000 employees, the goal is to provide employees with enough flexibility to get their jobs done. Craig Shumard, former chief information security officer, says employees are allowed to use USB flash drives to transfer files, but there's a security strategy, too.
First, Shumard says, the company uses Verdasys Digital Guardian software to monitor all ports and encrypt data transfers. He says he is surprised how many large organizations do not take this basic step. Next, when employees try to transfer files to a thumb drive, they are prompted to type in the reasons for the transfer. Later, the data they actually transferred is compared to those reasons.
This approach gives the employee the sense that they have the ability to transfer the files, but there will be accountability for those actions. Shumard says the approach reduced the anxiety employees have over doing their jobs -- they might need to transfer files in a pinch to take them home for the night, and the employee might even decide it is more important to get the work done than to be secure.