In early May, IBM Global Chief Information Security Officer Shamla Naidoo sent an advisory to all IBM employees across the globe stating that IBM is “is expanding the practice of prohibiting data transfer to all removable portable storage devices.” Some regional offices had already adopted this custom, but according to the statement, IBM has decided to implement the policy across its offices worldwide. The reasoning for this decision was stated to be to minimize the “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices.”
The memo was leaked online and first covered by the UK-based the Register. The publication reported that IBM is attempting to implement a new internal “sync and share” digital network as an alternative to removable physical storage devices. Since breaking, the story has generated considerable buzz around the move and brought to light several complaints made by IBM employees. The objections were serious enough that IBM management has supposedly taken a step back and is considering possible exemptions to the policy, according to the Register.
Besides the reported internal divisions, there have been mixed reactions to the leaked announcement from outside observers. One security expert called it a “brave move” on social media, while another labeled it an “overreaction” by IBM. The decision is thought by many to be a response to the European Union’s General Data Protection Regulation (GDPR), which passed its compliance deadline last month.
Ruben Lugo, Product Marketing Manager of Kingston Technology, told Digital Trends that the move is nothing more than a “quick fix.” “That’s the easiest way to cover your rear end: Make an announcement that you’re banning everything to show that you’ve put a policy in place,” said Lugo. He told Digital that those seeking to extract sensitive data will now merely put more effort into finding a way around the company’s firewalls to retrieve it online.
Physical protection is a critical portion of cybersecurity, yet it is still a relatively small part of a greater whole of defensive measures necessary to ensuring network integrity. Relying on one method to safeguard your cyber systems can leave you vulnerable in other network entry points that can be just as easily exploited by internal or external breaches.