It's not that Abe Usher has anything against Apple's portable media player, exactly, -- he even owns one, and is quick to extol its virtues.
But where most of us see an iPod as a repository for hours of musical entertainment, Mr. Usher sees a hiding place for thousands of company files, with which a smart thief can walk out of a building completely undetected.
Security consultants like Mr. Usher use the term "PodSlurping" to describe the way in which devices such as MP3 players, USB Flash drives or Sony Memory Sticks pose a risk to businesses and government agencies. Data theft tends to conjure up images of rogue programmers hacking into databases through the Internet, but PodSlurping suggests it can be much simpler and scarier than that.
With little technical expertise, almost anyone can plug one of these portable storage systems into a PC in an office, find what they're looking for on the network and download it while nobody's looking.
PodSlurping is the modus operandi for the inside job.
"Over the past 10 years, the majority of the people working in information security have had backgrounds in networking. As everyone got plugged into the Internet, when people thought of security, they thought of firewalls and access controls," says Mr. Usher, who is based in Arlington, Va. "Not all of these threats to companies exist outside of the corporate network."
Smaller businesses, which may not devote as many resources to IT security as their larger counterparts, could be particularly vulnerable to PodSlurping. It's not easy to keep track of who walks into an office building with an MP3 player, and most USB Flash drives are pretty small (they don't call them "thumb drives" or "keychain drives" for nothing).
Last year, Mr. Usher created a proof-of-concept software application called Slurp.exe that shows how easy it is to put PC files on an iPod. He recently followed it up with Slurp Audit, a tool that runs on portable storage devices and shows, once it has been plugged into a desktop, what kind of files could have been downloaded had a theft occurred.
Part of the problem, according to Mr. Usher, is that these devices plug into computers in a standard way. This makes them highly useful for connecting with each other (most laptops and PCs, for example, have a USB port), but it also raises the risk of PodSlurping that much higher.
"There are dishonest people in the world -- many of them work at many companies -- and these USB devices make it rather trivial to steal huge amounts of data," Mr. Usher says.
The threat of PodSlurping has opened up a new market for vendors around what's called "endpoint security." The products are usually software that makes sure users adhere to their company IT security policies. One such product, DeviceWall from Centennial Software of Portland, Ore., is designed to prevent the connection of unauthorized removable media devices to corporate PCs and laptops. It can block read/write access, for example, for anyone who does not have predefined authorization to download data. Securewave, of Luxembourg, offers a similar product called Sanctuary Device Control, designed to manage portable device access to desktops, tablets and laptops.
Although it's taking some time for awareness of the problem to spread to corporate decision makers, Centennial's vice-president of marketing, Brian McCarthy, says businesses are starting to earmark money for endpoint security in their annual budget cycles. "They're realizing they've pretty much covered the perimeter," he says. "I think 2005 was an educational year. It was the year they realized this is an issue."
In some cases, the IT security policy can be quite specific. Companies refer to "role-based" access, because the president of a small business, for instance, should be given more freedom to use these devices than a temporary worker. In others, employees simply need to be protected for their own good.
"A lot of guys are doing this non-maliciously -- they just want to be more effective," says Dennis Szerszen, Securewave's vice-president of marketing and corporate strategy. "They think, 'I'll just take this big spreadsheet home.' Then they lose the Memory Stick."
A few organizations have already decided that portable storage isn't worth the risk at all. Mr. Usher says he has clients that prohibit the use of iPods, USB Flash drives and similar devices in the workplace altogether. Such Draconian measures, however, could create a trade-off in convenience that has an impact on productivity, he warns.
"If you have a blanket statement that says no one is allowed to use a USB thumb drive, that sounds good, that sounds secure, but you may have system administrators that need thumb drives," he says. "You can't go to one extreme or the other. You need to find the right balancing point in your own organization."
Mr. McCarthy agrees, pointing out that the move towards mobile computing means an ever-growing number of devices.
"How do you block against the use of a PDA in most business environments?" he said. "A ban can be difficult, if not impossible, to enforce."
Few businesses are really active about IT security, possibly because there haven't been a lot of high-profile PodSlurping horror stories yet to scare people into action. An exception is the U.S. Department of Energy, which was ordered to stop all classified work on computers two years ago until security for removable storage devices was tightened. According to a report from research firm Gartner Inc., the order followed the loss of two computer disks containing nuclear weapons information at Los Alamos National Laboratory in New Mexico. The incident emphasized the risks that portable storage devices pose to high-security computer operations.
It's possible, of course, that PodSlurping is happening within companies all the time, and they simply choose not to disclose it for fear of retribution from their customers and shareholders. It is precisely such a lack of information sharing that makes it hard to develop best practices around IT security.
If businesses were more transparent, there are a lot of secrets to protecting data they could pass onto each other -- perhaps more than even an iPod could contain.
Shane Schick is editor of ITBusiness.ca.