Brink describes the approach at Cigna as "active/coarse-grained," in that the health insurance company uses heavy encryption, blocks and even quarantines files, and monitors behavior -- but the policies also include end-user justification for the file transfer and gives employees a sense of control.
4. University of Alabama, Birmingham Health System approach: Uses DeviceLock to monitor ports and encrypt data. Allows staff and students to use thumb drives at will, but all file transfers are monitored and recorded.
While many organizations rely on encryption to protect from thumb drive breaches, that is not the only approach available. At the University of Alabama at Birmingham (UAB) Health System, about 1,700 employees routinely use thumb drives, mostly for copying PowerPoint slides. However, as an organization that must adhere to HIPPA standards for patient records, the UAB Health System uses a multi-pronged approach.
First, in most cases, most USB ports are blocked entirely using DeviceLock software. This prevents most unauthorized file transfers. When doctors have a legitimate need to use a thumb drive, they can use an approved IronKey thumb drive that adds encryption. The software maintains a strict whitelist of approved IronKey drives assigned to employees.
The medical center chose this approach after conducting research about three years ago, says Terrell Herzig, the data security officer at UAB Health System. The organization monitored the use of all USB ports to see which files were transferred, and found that employees were using all sorts of USB thumb drives, as well as many brands of USB audio recorders.
Today, most employees will see an alert when they try to transfer files to an unapproved thumb drive. They can then call the help desk to request an IronKey drive to use. Using only approved devices affords a few other advantages. One is that the organization can shadow-copy file transfers to keep a record of which files were transmitted. Herzig says employees can also use the 1GB drives for other purposes while travelling or for home use.
Brink, the Aberdeen analyst, says the UAB Health System approach matches the "active/fine-grained" security that the City of Columbus uses, relying on encryption and monitoring, but focuses more on the thumb drive itself. He says organizational policies shouldn't be too soft or too hard (such as blocking access to almost all thumb drives) but should find a balance where the organization adopts standards and can encrypt on the fly.
Petraglia also urges companies to use a multi-pronged security approach to thumb drives where there are several tactics employed, not just one. "Once the data is on an employee's thumb drive the organization no longer controls it," he says, leaving the data open for theft. "The employees can [then] make copies or send that data from and to computers outside of the organization."
Whether the chosen security approach is to allow only one approved thumb drive, prompt users for the reasons they need to copy data, allow only Microsoft Office transfers, or classify files for approved transfers, each technique addresses one simple reality: Employees will use thumb drives, and they will find ways to continue using them.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology.
Read more about security in CIO's Security Drilldown.