Encrypt Your Flash Drive
The safest way to store, transport confidential data
- By Richard Kanadjian
- Sep 03, 2020
USB drives are convenient devices. They are used daily
by hundreds of millions of people around the world to
store or transport data, much of which would be considered
confidential. Chances are there are plenty of
USB drives floating around your company or organization right now.
Have you ever stopped to think about the potential security
threat these drives could pose? Yes, no, maybe? Well, it’s a good
question to ask yourself. Do your employees, contractors and visitors
who connect to your network ever use them? The answer to
that question doesn’t really matter, because if anyone has even so
much as thought about connecting a USB drive to your network,
your organization is at risk.
That goes for organizations large or small, across all departments,
all industries and all geographies. USB drives pose a threat,
and the more unprepared you are for handling such a threat, the
greater the chances are that at some point, you will have a problem.
Potentially, a big problem. Do a simple Google search on data
loss involving non-encrypted USBs and you will see numerous examples
of organizations that did not have a solid plan in place and
what the legal, financial and reputational consequences.
There are four major ways a USB drive can pose a threat:
Someone in your organization. Someone could accidentally
loses such a drive that is full of data, especially what is known as
Personally Identifiable Information. That happens often — way
too often. Laundries often find hundred of drives in clothes they
clean; this is a type of drive loss that is often invisible to enterprises
yet still a potential breach.
A USB drive full of data. Important information gets stolen
from your organization. People have been known to walk out of
a company they were visiting carrying USB drives loaded with
proprietary or legally protected information.
A trusted employee. Someone has become disgruntled and has
absconded a device with confidential company data via a USB drive.
Someone in your organization. An infected USB drive has been
found and, whether out of curiosity or in a noble attempt to find
the owner, plugs it in. A large-scale study conducted at the University
of Illinois showed that 48 percent of people who find USB
drives plug them in and click on at least one file. For whatever
reason they did so, the results to your network are the same if the
drive is infected with malware.
So what do you do? You have several alternatives other than
doing nothing. You can completely ban anyone connected to
your company from ever using a USB drive at work or for workrelated
projects. Or, you can implement a company-wide plan on
how they are to be used.
A third option is a practical compromise between the two.
When policies are too difficult to enforce, and a full ban on USB
drives would be impractical, encrypted USB drives make ideal solutions.
Whether the drives are lost or stolen, dropped or handed
to a corporate spy, encrypted USB drives will never give up their
secrets, as unauthorized users cannot simply plug them in and
read the data.
So what do you need to do? First and foremost, incorporate
encrypted USB Flash drives and policies into your organization’s
overall security strategy. If you don’t have such a plan and guidelines
in place, your organization is at risk at every level — including
failure to comply with regulations. The best time to develop
an encrypted USB plan is before you need to prove you had one.
Identify the Best USB Flash Drives for
Simple analysis of what your organization needs and recognizing
there is a range of easy-to-use, cost-effective, encrypted
USB Flash drive solutions can go a long way toward enabling you
to get a handle on the issue of managing risks and reducing costs.
A good place to start is to select the appropriate USB Flash
drive that best fits your organization’s needs. Determine the reliability
and integrity of USBs by confirming compliance with
leading security standards such as AES 256 Encryption, FIPS
197 or FIPS 140-2 Level 3, and various other managed solution
options. Also, some USB companies, such as Kingston, provide a
customized option for businesses that require specific needs.
Be sure to balance company needs for cost, security and productivity.
Ensure you have the right level of data security for the
right price. Don’t pick a drive with all the bells and whistles because
you believe it to be the best if you’re not going to make use
of all those bells and whistles. If you don’t need military-grade
anti-tampering security don’t pay for it, but do buy an Advance
Encrypted Standard (AES) 256-bit encrypted drive for best data
security. It is also a good idea to get HR and senior management
involved to support your USB data-security initiatives.
Train and Educate
Education should always be the first line of defense, and explaining
the different threat scenarios associated with USB drives
may go a long way toward modifying bad USB behaviors.
If you don’t train and educate end users, you will not have
a tightly sealed data-leak prevention strategy and you are more
prone to be breached. A Ponemon Institute Study regarding USB
security found that 72 percent of employees use free (as in no
cost, ‘look what that nice person just gave me’ type of free) drives
they pick up at conferences, tradeshows, business meetings, even
in organizations that offer ‘approved’ USB options.
All new and current employees should be trained as part of
your company’s orientation and ongoing training. Establish
a training program that educates employees on acceptable and
unacceptable use of USB Flash drives and the dangers of using
Bring Your Own Device (BYOD) items. Take users through actual
breach incidents and other negative consequences that occur
when using non-encrypted USBs.
Establish and Enforce Policies
Your organization should institute policies for the proper use
of electronic portable storage media, including USB Flash drives.
Here are three steps to begin the process.
- Identify those individuals and groups needing access to and/
or download sensitive and confidential data on encrypted USB
drives, then set a policy that allows them access.
- Document policies for your IT team and end users.
- Mandate that all employees attend training and sign an agreement
post-training, so they understand the acceptable-use policies
and the implications of not following guidelines.
If you don’t have the right policies in place, USB drives can
potentially be the downfall of your data-security strategy. Setting
a policy is the first step and an incredibly important one.
Provide Company-approved USB Drives
If you don’t provide encrypted USBs and implement policies
that allow end users to be productive, out of necessity, employees
will find a way to work around these security systems. Providing
employees with approved, encrypted USB Flash drives for use
in their job is an excellent way to assure that company-approved
USBs are being used.
Here are a few guidelines to use in choosing the type of USB
Flash Drive to give your employees:
- Proven hardware-based encryption using Advanced Encryption
Standard (AES) 256. Hardware-based security provides portability
and superior encryption over host-based software encryption.
- User storage space should be 100-percent encrypted. No nonsecured
storage space should be provided.
- Hardware-based password authentication that limits the number
of consecutive wrong password attempts by locking the devices
when maximum number of wrong attempts is reached.
- Your selected drive meets the FIPS standards for your particular
industry or company’s needs: FIPS 197 and/or FIPS 140-2
Manage Authorized USB Drives and
Block Unapproved Devices
If you do not manage authorized drives, sensitive data can
be copied onto these devices and shared with outsiders and your
organization is the next statistic for data loss or theft.
If you don’t encrypt data before it is saved on the USB drive,
hackers can bypass your anti-virus, firewall, or other controls, and
that information is vulnerable. To ensure that your data is safe, it
should be encrypted before being sent out via email or saved on
removable storage devices. For organizations in which confidential
or sensitive data is part of your business – such as financial,
healthcare and government, encryption is the most trustworthy
means of protection. Following the above will
provide a “safe harbor” from penalties and or
lawsuits related to data loss disclosures following
This article originally appeared in the September 2020 issue of Security Today.