Encrypt Your Flash Drive

Encrypt Your Flash Drive

The safest way to store, transport confidential data

USB drives are convenient devices. They are used daily by hundreds of millions of people around the world to store or transport data, much of which would be considered confidential. Chances are there are plenty of USB drives floating around your company or organization right now.

Have you ever stopped to think about the potential security threat these drives could pose? Yes, no, maybe? Well, it’s a good question to ask yourself. Do your employees, contractors and visitors who connect to your network ever use them? The answer to that question doesn’t really matter, because if anyone has even so much as thought about connecting a USB drive to your network, your organization is at risk.

That goes for organizations large or small, across all departments, all industries and all geographies. USB drives pose a threat, and the more unprepared you are for handling such a threat, the greater the chances are that at some point, you will have a problem. Potentially, a big problem. Do a simple Google search on data loss involving non-encrypted USBs and you will see numerous examples of organizations that did not have a solid plan in place and what the legal, financial and reputational consequences.

There are four major ways a USB drive can pose a threat:

Someone in your organization. Someone could accidentally loses such a drive that is full of data, especially what is known as Personally Identifiable Information. That happens often — way too often. Laundries often find hundred of drives in clothes they clean; this is a type of drive loss that is often invisible to enterprises yet still a potential breach.

A USB drive full of data. Important information gets stolen from your organization. People have been known to walk out of a company they were visiting carrying USB drives loaded with proprietary or legally protected information.

A trusted employee. Someone has become disgruntled and has absconded a device with confidential company data via a USB drive.

Someone in your organization. An infected USB drive has been found and, whether out of curiosity or in a noble attempt to find the owner, plugs it in. A large-scale study conducted at the University of Illinois showed that 48 percent of people who find USB drives plug them in and click on at least one file. For whatever reason they did so, the results to your network are the same if the drive is infected with malware.

So what do you do? You have several alternatives other than doing nothing. You can completely ban anyone connected to your company from ever using a USB drive at work or for workrelated projects. Or, you can implement a company-wide plan on how they are to be used.

A third option is a practical compromise between the two. When policies are too difficult to enforce, and a full ban on USB drives would be impractical, encrypted USB drives make ideal solutions. Whether the drives are lost or stolen, dropped or handed to a corporate spy, encrypted USB drives will never give up their secrets, as unauthorized users cannot simply plug them in and read the data.

So what do you need to do? First and foremost, incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy. If you don’t have such a plan and guidelines in place, your organization is at risk at every level — including failure to comply with regulations. The best time to develop an encrypted USB plan is before you need to prove you had one.

Identify the Best USB Flash Drives for Your Organization

Simple analysis of what your organization needs and recognizing there is a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling you to get a handle on the issue of managing risks and reducing costs.

A good place to start is to select the appropriate USB Flash drive that best fits your organization’s needs. Determine the reliability and integrity of USBs by confirming compliance with leading security standards such as AES 256 Encryption, FIPS 197 or FIPS 140-2 Level 3, and various other managed solution options. Also, some USB companies, such as Kingston, provide a customized option for businesses that require specific needs.

Be sure to balance company needs for cost, security and productivity. Ensure you have the right level of data security for the right price. Don’t pick a drive with all the bells and whistles because you believe it to be the best if you’re not going to make use of all those bells and whistles. If you don’t need military-grade anti-tampering security don’t pay for it, but do buy an Advance Encrypted Standard (AES) 256-bit encrypted drive for best data security. It is also a good idea to get HR and senior management involved to support your USB data-security initiatives.

Train and Educate

Education should always be the first line of defense, and explaining the different threat scenarios associated with USB drives may go a long way toward modifying bad USB behaviors.

If you don’t train and educate end users, you will not have a tightly sealed data-leak prevention strategy and you are more prone to be breached. A Ponemon Institute Study regarding USB security found that 72 percent of employees use free (as in no cost, ‘look what that nice person just gave me’ type of free) drives they pick up at conferences, tradeshows, business meetings, even in organizations that offer ‘approved’ USB options.

All new and current employees should be trained as part of your company’s orientation and ongoing training. Establish a training program that educates employees on acceptable and unacceptable use of USB Flash drives and the dangers of using Bring Your Own Device (BYOD) items. Take users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.

Establish and Enforce Policies

Your organization should institute policies for the proper use of electronic portable storage media, including USB Flash drives.

Here are three steps to begin the process.

  • Identify those individuals and groups needing access to and/ or download sensitive and confidential data on encrypted USB drives, then set a policy that allows them access.
  • Document policies for your IT team and end users.
  • Mandate that all employees attend training and sign an agreement post-training, so they understand the acceptable-use policies and the implications of not following guidelines. If you don’t have the right policies in place, USB drives can potentially be the downfall of your data-security strategy. Setting a policy is the first step and an incredibly important one.

Provide Company-approved USB Drives

If you don’t provide encrypted USBs and implement policies that allow end users to be productive, out of necessity, employees will find a way to work around these security systems. Providing employees with approved, encrypted USB Flash drives for use in their job is an excellent way to assure that company-approved USBs are being used.

Here are a few guidelines to use in choosing the type of USB Flash Drive to give your employees:

  • Proven hardware-based encryption using Advanced Encryption Standard (AES) 256. Hardware-based security provides portability and superior encryption over host-based software encryption.
  • User storage space should be 100-percent encrypted. No nonsecured storage space should be provided.
  • Hardware-based password authentication that limits the number of consecutive wrong password attempts by locking the devices when maximum number of wrong attempts is reached.
  • Your selected drive meets the FIPS standards for your particular industry or company’s needs: FIPS 197 and/or FIPS 140-2 Level 3.

Manage Authorized USB Drives and Block Unapproved Devices

If you do not manage authorized drives, sensitive data can be copied onto these devices and shared with outsiders and your organization is the next statistic for data loss or theft.

If you don’t encrypt data before it is saved on the USB drive, hackers can bypass your anti-virus, firewall, or other controls, and that information is vulnerable. To ensure that your data is safe, it should be encrypted before being sent out via email or saved on removable storage devices. For organizations in which confidential or sensitive data is part of your business – such as financial, healthcare and government, encryption is the most trustworthy means of protection. Following the above will provide a “safe harbor” from penalties and or lawsuits related to data loss disclosures following new regulations.

This article originally appeared in the September 2020 issue of Security Today.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3