The best way to lock down your USB storage devices involves a clever combination of technology and policy.
This year hasn't been a particularly good one for those responsible for IT security at Barclays. At the end of July, the beleaguered bank was informed that criminals had access to the personal details of 13,000 of its customers - and they were all contained on a tiny device, smaller than a packet of chewing gum.
Police found a USB stick containing the details by chance in a raid. It contained not just names, but what amounted to the complete identities of Barclays' customers, who had entrusted the firm with that data. Dates of birth, addresses, national insurance numbers and other details were saved on the drive. Jobs, salaries, details of debt, insurance policies and mortgages littered the electronic device, according to a report in the Daily Mail.
Only in today's technologically advanced business environment could an object so small wreak so much havoc. USB sticks are a notorious threat vector for today's company. Thousands of sensitive records can be copied to them almost instantly. They are easy for unscrupulous employees to sneak out of a building and sell on to criminals. Even if staff are well-intentioned and honest, the USB drives on which they store company data are easy to lose.
Such mishaps happens all the time. In July, East Sussex NHS Trust was forced to apologise to over 3000 patients, after a member of the public found a USB stick on the street containing all of their personal details.
The headlines are plagued with such cases. That's not surprising, given how many people use USB drives to transport their employers' files from the premises. A third of all workers store and transfer files using USB sticks, according to a survey on remote working carried out by Imation and Vanson Bourne.
A need for better USB security
Here's the thing: the first USB flash drive was sold in 2000, before even the first report was released. You'd think, by now, that organisations would have learned how to deal with them, but many companies are still failing to put even rudimentary guidelines in place concerning their use. The Vanson Bourne study found that only six in 10 respondents in the UK were aware of a current policy for remote working at their company. 12% said that their companies had no plans to implement one, while 16% didn't know one way or the other, which is as bad as not having one at all.
We can be better. In the world of enterprise data, a stitch in time really does save nine. Putting measures in place now to protect company data from leaking via mobile storage could help to avoid embarrassing headlines later on, not to mention potential legal and financial ramifications.
The most obvious technology option is encryption. Encrypted drives are typically worthless when they fall into the wrong hands, but many companies are still failing to use encryption with removable storage. In the UK, just 37% of respondents said that data was encrypted when they left the office. That leaves an awful lot of unprotected data, should removable media leave an employee's possession.
Encryption cannot be optional if it is to be effective, though, or employees may forget or choose not to use it. IT administrators can prevent employees (or visitors) from copying data to USB drives in the enterprise by using tamper-proof encryption software installed on the endpoint. This can be made to encrypt all data by default.
Ideally, a USB device will work with this endpoint software, and with some form of central policy management software, to create a secure ecosystem for removable storage. Code on the USB device will communicate with the central management console, enabling IT teams to administer large numbers of these USB keys en masse. Other keys can be blocked from mounting themselves on the system using, say, Windows Group Policy.
This joined-up approach to removable storage management empowers IT teams to implement group policies for supported USB devices, including remote wiping and termination of devices that have been lost or stolen. Policies might also include self-service password recovery for encrypted devices.
There's a reason that USB drives remain popular 15 years after their launch. They're useful ways to transport large amounts of data between devices and locations, making them the perfect tool for mobile workers. Without the proper protection, though, they can be keys for attackers to unlock your corporate assets. It'll take a combination of policy and technology to seal in your secrets.
By Nick Banks, VP EMEA and APAC, IronKey by Imation