Protecting data on lost and stolen USB drives


USB stick on the grass{{}}In October 2014, the Ministry of Justice joined the growing list - which includes North East Lincolnshire Council - of organisations to be fined by the Information Commissioner's Office (ICO) for breaching data protection laws. Nick Banks, head of EMEA and APAC for mobile security at Imation, explains what businesses can learn from this security breach

An £80,000 fine was levied on North East Lincolnshire Council after a USB stick was lost by a special education needs teacher which held personal and sensitive data of children with special educational needs.

Crucially, the USB stick was unencrypted and the ICO decided that "Personal data and sensitive personal data were lost due to the inappropriate technical and organisational measures taken by the data controller".

The large penalty makes this case notable, but unfortunately the situation from which the breach arose is not uncommon.

Some organisations choose to combat this issue by blocking the use of portable memory devices altogether, but these restrictions make it difficult for staff to do their jobs. So, how can organisations keep data secure without harming productivity?

The security remote control

Features such as remote wipe and remote kill could be part of the solution, and they are growing in prominence as news about data breaches and fines stacks up.

Enabling these functions means that as soon as a lost or stolen flash drive is plugged into an internet-connected computer or other device, the flash drive receives a command. This either wipes all data from the USB drive, or completely disables the drive so that it is entirely unusable.

Either way, the data on the device remains protected and a data breach is prevented.

Good for sensitive data

For highly sensitive data, organisations sometimes prefer the security of remote kill because it makes the flash drive useless and prevents all access, even by the people who are authorised.

This technique is particularly useful if you want to prevent an employee from taking data with them when they leave your organisation. Equally, if there happen to be inconsistencies in security procedures elsewhere, remote kill provides a handy extra layer of security.

However, although the principles of remote kill are very simple, the reality can be more technical. Making remote kill 100% effective requires your company to have a policy enforcement server that's accessed each time someone tries to read data from the USB drive.

A precious safety net

Remote wipe and remote kill undoubtedly improve security, but also add an extra layer of complexity to your IT setup. For this reason, these technologies are best suited to high-security environments involving sensitive data.

In organisations that hold banking details, medical records or other highly sensitive data, remote kill and remote wipe act as a sort of safety net. They're a way to rescue potentially catastrophic situations.

They should not be used in isolation, and there should be many preventative measures to prevent data breaches ahead of this final line of defence. You can start with simple, cost-effective solutions such as proper staff training and encryption.

More on this topic: