Cara Garretson at Network World published a great article today, titled Can an iPod bring down your company?. If you haven't read it already, I recommend it.
Of course, where data theft is concerned, iPods are only a specific risk due to their ubiquity. There are many other ways to steal data aside from using an iPod. The fact that seemingly every employee or visitor to a company has an iPod possibly makes it more convenient for a someone to steal data out of opportunity, but it is doubtful that iPods themselves truly present a threat. Banning iPods (or controlling whether people can download data to them) may help to keep the honest (and perhaps technically illiterate) people honest, but would do very little to protect against dishonest people.
Having said that, I do disagree with what Tom Scocca says on page 2 of the article: "Controls targeted at these devices should be based not on the type of device, but on the risk that companies are willing to accept by allowing any type of external storage device into the environment." I disagree with his assessment because the type of device certainly does matter! For example, iPods are charged by plugging them into a computer. (Yes, I realize there are alternative methods of charging iPods, but almost everyone charges them this way). Therefore, not only would it not be unusual for an employee to have an iPod plugged into his or her work computer (and therefore would not raise a red flag with a supervisor or co-worker), but merely having a large-capacity personal storage device plugged in may be enough to tempt that otherwise honest person into stealing information that they otherwise wouldn't have.
A dishonest person or one who really wants a specific piece of data is probably going to get it even without an iPod. Email, FTP, data keys, memorization, camera phones, print-outs, or whatever all put data at risk. If someone can see your data, it is at risk. If someone can't see your data but can access it (for example, an encrypted file can be located but not opened or viewed), it is at risk. David Jordan sums it up nicely at the end of page 2: "We have to rely on our trusted employees." Very true, even if his assumption, that because users agrees to an AUP when they logon they are therefore trustworthy, is assinine.
When speaking of "data" or "information" theft in these scenarios, a couple of seemingly obvious things are typically overlooked by the analysts. They never seem to mention the risk of a person stealing actual software itself. They never seem to mention the productivity loss caused by an employee doing personal work on the company's machine. They never seem to mention the risk of an employee simply downloading files from the Internet all day and copying them to his or her device when they leave for the day. They never seem to mention one of the most obvious risks of all -- that of an employee copying data from the device to the computer and therefore putting the company at risk of security vulnerabilities, lost productivity, liability due to unlicensed software being installed, and much more.
And its not just the analysts who miss the point -- Cara's story is based on or inspired by a press release put out on April 6 by a company that just so happens to sell end-point security software designed to protect against the iPod threat. It was a brilliant piece of PR that garnered a lot of attention. But the press release does miss the point: of course end-point security is a good thing, particularly these days when not a week goes by without a news story of yet another company suffering a major data breach, but it is foolhardy to think that data breaches will be completely stopped by implementing such a solution. According to the company's press release, "the company now believes that the use of iPods for "Pod Slurping" could be one of the biggest "Pocket Fraud" assets for rogue employees to store a variety of confidential data and should be banned until proper policy enforcement capabilities are in place. Well, yeah, of course they believe that! But note the "rogue employees" comment; you're not going to stop a rogue employee this way, but perhaps you will succeed in stopping the otherwise honest employee from making a mistake. You are very likely to succeed in turning off your own employees if you jump to irrational conclusions and don't think it through.
The decision to ban iPods or implement a security solution is one that many organizations should consider, but it is a decision that must be made carefully after weighing the social and monetary costs and benefits; it should not be made irrationally based on an interested party's press release!