Encrypt Your Flash Drive The safest way to store, transport confidential data
By Richard Kanadjian
USB drives are convenient devices. They are used daily by hundreds of millions of people around the world to store or transport data, much of which would be con- sidered confidential. Chances are there are plenty of USB drives floating around your company or organization right now.
Have you ever stopped to think about the potential security threat these drives could pose? Yes, no, maybe? Well, it’s a good question to ask yourself. Do your employees, contractors and vis- itors who connect to your network ever use them? The answer to that question doesn’t really matter, because if anyone has even so much as thought about connecting a USB drive to your network, your organization is at risk.
That goes for organizations large or small, across all depart- ments, all industries and all geographies. USB drives pose a threat, and the more unprepared you are for handling such a threat, the greater the chances are that at some point, you will have a prob- lem. Potentially, a big problem. Do a simple Google search on data loss involving non-encrypted USBs and you will see numerous ex- amples of organizations that did not have a solid plan in place and what the legal, financial and reputational consequences.
There are four major ways a USB drive can pose a threat:
Someone in your organization. Someone could accidentally loses such a drive that is full of data, especially what is known as Personally Identifiable Information. That happens often — way too often. Laundries often find hundred of drives in clothes they clean; this is a type of drive loss that is often invisible to enter- prises yet still a potential breach.
A USB drive full of data. Important information gets stolen from your organization. People have been known to walk out of a company they were visiting carrying USB drives loaded with proprietary or legally protected information.
A trusted employee. Someone has become disgruntled and has absconded a device with confidential company data via a USB drive. Someone in your organization. An infected USB drive has been found and, whether out of curiosity or in a noble attempt to find the owner, plugs it in. A large-scale study conducted at the Uni- versity of Illinois showed that 48 percent of people who find USB drives plug them in and click on at least one file. For whatever reason they did so, the results to your network are the same if the
drive is infected with malware.
So what do you do? You have several alternatives other than
doing nothing. You can completely ban anyone connected to your company from ever using a USB drive at work or for work- related projects. Or, you can implement a company-wide plan on how they are to be used.
A third option is a practical compromise between the two. When policies are too difficult to enforce, and a full ban on USB drives would be impractical, encrypted USB drives make ideal so- lutions. Whether the drives are lost or stolen, dropped or handed to a corporate spy, encrypted USB drives will never give up their secrets, as unauthorized users cannot simply plug them in and read the data.
So what do you need to do? First and foremost, incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy. If you don’t have such a plan and guide- lines in place, your organization is at risk at every level — includ- ing failure to comply with regulations. The best time to develop an encrypted USB plan is before you need to prove you had one.
Identify the Best USB Flash Drives for Your Organization
Simple analysis of what your organization needs and recog- nizing there is a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling you to get a handle on the issue of managing risks and reducing costs.
A good place to start is to select the appropriate USB Flash drive that best fits your organization’s needs. Determine the re- liability and integrity of USBs by confirming compliance with leading security standards such as AES 256 Encryption, FIPS 197 or FIPS 140-2 Level 3, and various other managed solution options. Also, some USB companies, such as Kingston, provide a customized option for businesses that require specific needs.
Be sure to balance company needs for cost, security and pro- ductivity. Ensure you have the right level of data security for the right price. Don’t pick a drive with all the bells and whistles be- cause you believe it to be the best if you’re not going to make use of all those bells and whistles. If you don’t need military-grade anti-tampering security don’t pay for it, but do buy an Advance Encrypted Standard (AES) 256-bit encrypted drive for best data security. It is also a good idea to get HR and senior management involved to support your USB data-security initiatives.
Train and Educate
Education should always be the first line of defense, and ex- plaining the different threat scenarios associated with USB drives may go a long way toward modifying bad USB behaviors.
If you don’t train and educate end users, you will not have a tightly sealed data-leak prevention strategy and you are more prone to be breached. A Ponemon Institute Study regarding USB security found that 72 percent of employees use free (as in no cost, ‘look what that nice person just gave me’ type of free) drives they pick up at conferences, tradeshows, business meetings, even in organizations that offer ‘approved’ USB options.
All new and current employees should be trained as part of your company’s orientation and ongoing training. Establish a training program that educates employees on acceptable and unacceptable use of USB Flash drives and the dangers of using Bring Your Own Device (BYOD) items. Take users through ac- tual breach incidents and other negative consequences that occur when using non-encrypted USBs.
Establish and Enforce Policies
Your organization should institute policies for the proper use of electronic portable storage media, including USB Flash drives.
10
0920 | SECURITY TODAY
CYBER SECURITY