Jan 232011
 

Of course they are – everything is a security risk. The question should be whether ereaders pose enough of a risk to your organisation to justify taking some form of action to reduce or eliminate that risk. The risks that ereaders pose can be broken down into three areas :-

  1. Most ereaders are effectively USB memory sticks with a display on. As such the risk is much the same as with any USB stick – a malicious employee could steal data and remove it from your organisation. The countermeasures are the same too – implement a policy that prohibits the use of memory sticks from being used when plugged in.
  2. Ereaders have an additional danger in that it is far more likely for accidental leakage of confidential information. People are unlikely to carry out a paper document marked “COSMIC TOP SECRET”, but if they put such documents onto an ereader, they are far more likely to walk out the door with it through simple neglect – that ereader with the “COSMIC TOP SECRET” document on it also has the that harmless book “The Girl With The Dragon Tattoo” that I am reading in my spare time.
  3. Many ereaders (such as Amazon’s Kindle) device have a way of sending documents to the device over email – you email a special address on the supplier’s mail servers, and it trickles down to the ereader. Pretty convenient for the user, but not only does it make the leakage of information easier, but you also have to worry about how secure the supplier’s mail servers are.

If you need a certain level of security, that all makes it seem like ereaders should be banned at your organisation. That would be a shame because they can be useful – everyone knows how much paper can be wasted printing discussion documents and reports so they can be referred to in a meeting. An ereader means you can carry that pile of paper around far easier.

Rather than simply ban ereaders, simply provide them for the workers to use. And ban them from going offsite. Security is more palatable if it is served with a smile.