With the ubiquitous usage of USB drives to store and transport data, it's now more important than ever that your business has a strong data protection policy, and a data policy that takes special consideration of how USB drives are used right across your company.
Research has suggested that many companies have a security gap when it comes to their use of USB drives. Often, employees will use their own personal drives to transport data that has not been approved by their IT department. Worryingly, few businesses have a clear idea of how many USB drives are in use in their companies – official or otherwise – and whether these drives have been used to store sensitive data. Customer records, business and marketing plans have all been reported to have been copied to unprotected USB drives.
"While most of the world's enterprises are focused on protecting their networks from external threats from malware and hackers, the bigger risk for a data breach appears to be inside the organization. Workers are moving mass volumes of data on unsecured devices, often their own iPhones and flash drives, out of the network every day, and this makes businesses vulnerable to loss or theft of corporate or customer data," said Lawrence Reusing, general manager, Mobile Security for Imation. "As our research illuminates, most organisations do not have a handle on the devices and data that can walk out their door every day."
Creating a mobile security policy
The first step your business should take is to include USB drives in your business-wide data security policy. This policy should be communicated to all members of staff to ensure they fully understand their responsibilities.
Your business' security policy when USB drives are considered should include:
- That no personal drives should be connected to any of your business' computer systems or network, as this could infect your systems with viruses or malware.
- Only USB drives secured from your IT department should be used. These should all be tracked to ensure you business knows at any given time who is using which drive and for what purpose.
- All data that is transferred to a USB drive should be encrypted to 256-bit AES standards. Ensure that the encryption process is automatic to avoid this being forgotten and the copied data become vulnerable. Also, use hardware encryption and not software encryption to give maximum protection.
- Data that is transferred to a USB drive should be backed up to ensure that if lost or damaged, the copied data can be recovered.
- Drives should have the ability to be remotely terminated. This allows your IT department to disable a USB drive that is for instance, still in the possession of an ex-employee. Data can also be time expired to ensure it can't be copied back to your network storage.
- If a large number of USB drives will be in use, look for a vendor that offers a central control panel. This allows your IT department to update encryption, passwords and other authorisations remotely.
The USB drives in your business can look innocuous enough, but they could be a time bomb waiting to go off. However, taking steps now to bring these devices into your wider security policy is time and money well spent.
Creating encryption protection
Looking at the current market for secure USB drives can be a daunting task, as the sector has rapidly developed. There are though, market leaders you company should pay attention to when making its purchasing decisions. Leading suppliers of secure USB drives include:
If your company already has a number of USB drives in regular use, updating these with data encryption systems is now possible. Two of the leading vendors to consider include DESlock+ and Secured eUSB.
Windows users are also able to encrypt any USB drive using BitLocker To Go. When run, the application takes control of the USB drive and only allows access to anyone with the correct password. If the USB drive is connected to a Windows Vista or XP PC, the user will be prompted to install the BitLocker Top Go reader. Once this is complete the user will be prompted for a password. BitLocker takes control and makes the connected USB drive a read-only device.
There is no denying the fact that USB drives are a convenient way to store and transport vast amounts of data. The issue is that this must be done with security in mind. The ease with which sensitive data could find its way out of your business is frightening, but can be resolved if your enterprise takes some sensible steps to include these devices in your company's security policy.
Enforcing a data encryption policy is now a commercial imperative. Data is now some of the most valuable assets that businesses posses. It makes sense to protect those assets from loss. The steps your business can take to create a secure environment for USB drives isn't difficult to set up and operate. What's more, these initiatives could potentially save your business from substantial losses in the future.