The miniature scapegoat

Steve Hall, EMEA product development manager for flash at Kingston, explains why USB drives are often unfairly blamed in incidents of data leakage – and how they can be made more secure.

Tags: Data Leakage PreventionData leakageKingston TechnologyUSA
  • E-Mail
The miniature scapegoat
By  Steve Hall Published  October 27, 2010

Steve Hall, EMEA product development manager for flash at Kingston, explains why USB drives are often unfairly blamed in incidents of data leakage – and how they can be made more secure.

Many organisations allocate a large portion of their IT budget to providing rock-solid data access protection. Servers are being locked down, external communications links are secured and data access management processes are foolproof, in an effort to ensure data security.  However, there is a predominant trend, which shows that most data losses are external to an organisations network.

During the last three years there has been a significant increase in the number of data breaches around the world. These cases range from lost laptops, CDs, floppy disks and even USB drives to unauthorised users trying to gain access to confidential data. Although big steps have been made, corporations need to become more responsible when it comes to end data security.

It has become standard practice to protect networks with sophisticated firewalls, access management policies and VPNs in a constant battle to stop unauthorised and/or malicious users gaining access to important data or systems. Organisations have to ensure that the security levels of their networks are constantly updated to avoid potential external threats. IT departments need to establish how valuable the data could be to an external party, as a malicious attacker is likely to spend more effort and resources to gain unauthorised access to key information.

However, one area that still tends to be overlooked is the transportation of data, even with the number of cases of lost data increasing, and the raise in penalties and fines for negligently losing information, many organisations are still not taking the basic steps to reduce the risks of unauthorised users accessing to confidential files. Since November 2007 in the UK alone, there were 818 reported incidents of lost data, and this does not take into account all of the issues not reported.

It is fair to say that most data losses are not malicious but there is a constant threat and organisations have experienced a rise in malicious attacks; this threat is mainly being overcome by ensuring that the security of companies’ networks is constantly updated. Many of the losses occur when an employee takes information outside of an organisation, yet they do so with the best intentions; maybe an employee wants to work on something at home, or whilst travelling.

It is the responsibility of the organisation to ensure that wherever that data goes, it is protected. The users do not necessarily understand the risks involved in moving information on an insecure USB flash device, most likely an everyday user is not aware of the massive fines that are now in place if that data is lost. Organisations need to ensure that employees are aware of the risks and the cost of these losses and ensure that sufficient data policies are in place.

The problem however, is not necessarily the device used but the lack of information and access protection. USB drives have been unfairly targeted by enterprises as the weak link in data protection policies; as the loss of any mobile storage device can be an issue as shown in recent reports. Organisations need to understand that fully encrypted storage devices are an essential component in keeping key information safe.

The majority of USB flash drives available are good for inexpensive transportation or as a medium to store data. Some of these drives have basic password protection or even antivirus protection, though these are still classed as a “consumer” USB flash drives. However, enterprises must align their choice of USB flash drive with the correct level of security required; this includes adhering to data protection policy requirements and taking into account the value of its existing information.

Organisations and employees need to understand the importance of hardware based encryption and recognise that it is an essential requirement for any organisation who is establishing a solid security set up. Those who opt for software based encryption are more vulnerable to attacks from external threats as it is often easier to bypass aspects that reveal the encryption key.

There are now a number of secure USB flash drives available on the market that offer 100% 256-bit encryption, and are standardised to work with all the major security, end-point management and network administration solutions. These drives vary in functionality and price, but the majority of them are perfect for setting a standard as to the transportation of data through an organisation.

It is important to note that an encrypted USB flash drive as a form of transporting important information is a good measure, but it is only part of a complete endpoint security solution. By using a software management solution, IT administrators are able to stop the use of all USB devices, and then add the required permissions for a specific encrypted drive. This means that if files are copied to a USB flash drive, they can be sure that it is fully encrypted and if lost, the information is not viewable to an unauthorised third party.

Organisations are now becoming more responsible with data security and taking into account the value of the information, to ensure that their networks are secure. When updating their security policies, an organisation must invest in the most robust security options and ensure that these are continuously updated to avoid unwanted penalties and negative public opinion. In terms of mobile data storage, an organisation must ensure that all devices used are encrypted using a hardware solution; currently 256-bit hardware encryption offer the best security solution for mobile data devices.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code