Encrypt Your Flash Drive

The safest way to store, transport confidential data

• By Richard Kanadjian
• Sep 03, 2020

USB drives are convenient devices. They are used daily by hundreds of millions of people around the world to store or transport data, much of which would be considered confidential. Chances are there are plenty of USB drives floating around your company or organization right now.

Have you ever stopped to think about the potential security threat these drives could pose? Yes, no, maybe? Well, it’s a good question to ask yourself. Do your employees, contractors and visitors who connect to your network ever use them? The answer to that question doesn’t really matter, because if anyone has even so much as thought about connecting a USB drive to your network, your organization is at risk.

That goes for organizations large or small, across all departments, all industries and all geographies. USB drives pose a threat, and the more unprepared you are for handling such a threat, the greater the chances are that at some point, you will have a problem. Potentially, a big problem. Do a simple Google search on data loss involving non-encrypted USBs and you will see numerous examples of organizations that did not have a solid plan in place and what the legal, financial and reputational consequences.

There are four major ways a USB drive can pose a threat:

Someone in your organization. Someone could accidentally loses such a drive that is full of data, especially what is known as Personally Identifiable Information. That happens often — way too often. Laundries often find hundred of drives in clothes they clean; this is a type of drive loss that is often invisible to enterprises yet still a potential breach.

A USB drive full of data. Important information gets stolen from your organization. People have been known to walk out of a company they were visiting carrying USB drives loaded with proprietary or legally protected information.

A trusted employee. Someone has become disgruntled and has absconded a device with confidential company data via a USB drive.

Someone in your organization. An infected USB drive has been found and, whether out of curiosity or in a noble attempt to find the owner, plugs it in. A large-scale study conducted at the University of Illinois showed that 48 percent of people who find USB drives plug them in and click on at least one file. For whatever reason they did so, the results to your network are the same if the drive is infected with malware.

So what do you do? You have several alternatives other than doing nothing. You can completely ban anyone connected to your company from ever using a USB drive at work or for workrelated projects. Or, you can implement a company-wide plan on how they are to be used.

A third option is a practical compromise between the two. When policies are too difficult to enforce, and a full ban on USB drives would be impractical, encrypted USB drives make ideal solutions. Whether the drives are lost or stolen, dropped or handed to a corporate spy, encrypted USB drives will never give up their secrets, as unauthorized users cannot simply plug them in and read the data.

So what do you need to do? First and foremost, incorporate encrypted USB Flash drives and policies into your organization’s overall security strategy. If you don’t have such a plan and guidelines in place, your organization is at risk at every level — including failure to comply with regulations. The best time to develop an encrypted USB plan is before you need to prove you had one.

Identify the Best USB Flash Drives for Your Organization

Simple analysis of what your organization needs and recognizing there is a range of easy-to-use, cost-effective, encrypted USB Flash drive solutions can go a long way toward enabling you to get a handle on the issue of managing risks and reducing costs.

A good place to start is to select the appropriate USB Flash drive that best fits your organization’s needs. Determine the reliability and integrity of USBs by confirming compliance with leading security standards such as AES 256 Encryption, FIPS 197 or FIPS 140-2 Level 3, and various other managed solution options. Also, some USB companies, such as Kingston, provide a customized option for businesses that require specific needs.

Be sure to balance company needs for cost, security and productivity. Ensure you have the right level of data security for the right price. Don’t pick a drive with all the bells and whistles because you believe it to be the best if you’re not going to make use of all those bells and whistles. If you don’t need military-grade anti-tampering security don’t pay for it, but do buy an Advance Encrypted Standard (AES) 256-bit encrypted drive for best data security. It is also a good idea to get HR and senior management involved to support your USB data-security initiatives.

Train and Educate

Education should always be the first line of defense, and explaining the different threat scenarios associated with USB drives may go a long way toward modifying bad USB behaviors.

If you don’t train and educate end users, you will not have a tightly sealed data-leak prevention strategy and you are more prone to be breached. A Ponemon Institute Study regarding USB security found that 72 percent of employees use free (as in no cost, ‘look what that nice person just gave me’ type of free) drives they pick up at conferences, tradeshows, business meetings, even in organizations that offer ‘approved’ USB options.

All new and current employees should be trained as part of your company’s orientation and ongoing training. Establish a training program that educates employees on acceptable and unacceptable use of USB Flash drives and the dangers of using Bring Your Own Device (BYOD) items. Take users through actual breach incidents and other negative consequences that occur when using non-encrypted USBs.

Establish and Enforce Policies

Your organization should institute policies for the proper use of electronic portable storage media, including USB Flash drives.

Here are three steps to begin the process.

• Identify those individuals and groups needing access to and/ or download sensitive and confidential data on encrypted USB drives, then set a policy that allows them access.
• Document policies for your IT team and end users.
• Mandate that all employees attend training and sign an agreement post-training, so they understand the acceptable-use policies and the implications of not following guidelines. If you don’t have the right policies in place, USB drives can potentially be the downfall of your data-security strategy. Setting a policy is the first step and an incredibly important one.

Provide Company-approved USB Drives

If you don’t provide encrypted USBs and implement policies that allow end users to be productive, out of necessity, employees will find a way to work around these security systems. Providing employees with approved, encrypted USB Flash drives for use in their job is an excellent way to assure that company-approved USBs are being used.

Here are a few guidelines to use in choosing the type of USB Flash Drive to give your employees:

• Proven hardware-based encryption using Advanced Encryption Standard (AES) 256. Hardware-based security provides portability and superior encryption over host-based software encryption.
• User storage space should be 100-percent encrypted. No nonsecured storage space should be provided.
• Hardware-based password authentication that limits the number of consecutive wrong password attempts by locking the devices when maximum number of wrong attempts is reached.
• Your selected drive meets the FIPS standards for your particular industry or company’s needs: FIPS 197 and/or FIPS 140-2 Level 3.

Manage Authorized USB Drives and Block Unapproved Devices

If you do not manage authorized drives, sensitive data can be copied onto these devices and shared with outsiders and your organization is the next statistic for data loss or theft.

If you don’t encrypt data before it is saved on the USB drive, hackers can bypass your anti-virus, firewall, or other controls, and that information is vulnerable. To ensure that your data is safe, it should be encrypted before being sent out via email or saved on removable storage devices. For organizations in which confidential or sensitive data is part of your business – such as financial, healthcare and government, encryption is the most trustworthy means of protection. Following the above will provide a “safe harbor” from penalties and or lawsuits related to data loss disclosures following new regulations.

This article originally appeared in the September 2020 issue of Security Today.